Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
INTRUSION DETECTION SYSTEM USING DEEP LEARNING
FOR DoS ATTACK DETECTION
ANDRE ARTA KURNIAWAN, 2JUSAK, 3MUSAYYANAH
Program Studi/Jurusan Teknik Komputer.
University Dinamika Jl.
Raya Kedung Baruk 98 Surabaya, 60298 e-mail: 1andrearta1@gmail.
com, 2jusak@dinamika.
id, 3musayyanah@dinamika.
ABSTRACT
Various attacks on a computer network or the internet have generated many incidents and cases, this makes security threats in using the internet or computer networks a major focus.
Denial of Service attack or often referred to as DoS attack is one of the attack techniques that carry out flooding packets or requests to the target computer until the target computer is down.
Prevention is needed in order to minimize existing attacks.
IDS can be used as a detector in network traffic, but because IDS has its limitations, an IDS system is built using Deep Learning to detect DoS attacks.
By using the data from the wireshark log as a dataset, it is necessary to do data normalization which will then be inputted into CNN VGG-19.
The test results that have been carried out with variations in the data inputted into the CNN VGG19 produce an average accuracy of 99.
32% with an average loss of 4.
08%, and by varying the iteration of the training process the resulting accuracy is 99.
17% with an average loss - an average of 4.
And the ROC Curve value for the True Positive Rate and the False Positive Rate is 1.
Keywords: Intrusion Detection System.
DoS Attack.
Deep Learning.
Convolutional Neural Network.
Wireshark
INTRODUCTION
In the present day, there is a lot of case has been founded such as internet users who are under digital attacked.
or example.
AuBobol Akun e-Banking.
Pemilik Kehilangan Uang Rp1 MiliarAy (Abdi, 2.
There are also cases of suddenly the user's smartphone locks by itself .
or example.
AuHati-hati Pakai WiFi Gratisan.
HP Bisa Diretas Hacker JahatAy (Franedya, 2.
Digital attacks that threaten internet security are a type of Denial of Service (DoS) attack.
In general case.
DoS attacks carried out with AufloodingAy the computer network with a many requests at the same time.
The purpose of these attacks are make the computer network down so that the other users unable to used the current connection in their computer network system.
(Dogru & Masetic, 2.
One way to solve these kind of network attacks is to use an Intrusion Detection System (IDS), which has function to detect if there are attacks into a server.
IDS works by observing for every traffic that exist on network and will give a warn if there is abnormal traffic Therefore.
IDS is very important in computer networks, there are a lot of research about computer networks that focuses on developing IDS.
One of them is by applying machine learning method on IDS.
(Zamani & Movahedi.
Machine learning is one of branches computer science which give a computer system capabilities to learn from the data without explicitly programmed.
(Purnama, 2.
The deep learning method is one of the developments of machine learning that studies data more deeply and uses a multi-layered learning process.
This study will apply one of deep learning methods, also known as the Convolutional Neural Network algorithm which will increase the capability of IDS to detect of attacks.
Because attack traffic often has multiple models.
IDS with CNN can study the traffic itself without writing an explicit detection DOI: http://doi.
org/10.
54732/jeecs.
Available online at: https://ejournal.
id/index.
php/jeecs Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
Previous IDS research analyzed IDS capabilities using the KDD 1999 dataset (Sinh-Ngoc Nguyen dkk, 2.
However, this research will use SYN Flood.
UDP Flood, and Ping of Death attack types to test CNN's ability on IDS.
And also, this study will also use log results from Wireshark and the ISCX-IDS-2012 dataset as training data.
METHOD
The Deep Learning method can be considered as a combination of Machine Learning with Artificial Neural Networks (Primartha, 2.
In deep learning, computers study from the data using a layered network of neurons.
This is similar to the structure of the human brain, which studies sensor data over a neuron network that so complex.
In this study, the CNN deep learning method was used to detect attacks on network traffic.
The system design used is shown in Figure 1.
Figure 1.
IDS System Design Using Deep Learning (Source: Kurniawan, 2.
All network traffic data will be captured by the Wireshark program, a program that can capture all packets crossing the network.
From the captured packet, log data is used as CNN input data.
Because CNN is a branch of machine learning, a training process is needed before CNN can be used to test For the IDS system training process, various log data are made with a mixture of normal traffic data and attack After the training process is complete, the system can be validated with test traffic data.
1 Convolutional Neural Network The CNN architecture is similar to the visual cortex of an animal, in that the neural network receives input image data.
The input data for each CNN layer also uses a three-dimensional structure.
In generally, the CNN architecture consists of input layers, output layers, and hidden layers.
The hidden layer on CNN is often referred as the Feature Extraction Layer (Sena, 2.
And the hidden layer consists of a Convolution Layer and a Pooling Layer.
At the Convolution Layer, the dimensions of the input data will be taken according to the filter size.
For example, if the filter dimension size is 3x3 and the input data dimension size is 5x5, then the input data dimension will be taken according to the filter size which is 3x3.
Then the multiplication process will be carried out as many as the number of filters used.
The Pooling Layer functions are to maintain the size of the data when convolution is carried out, namely by reducing the sample or also known as downsampling (Suyanto.
Ramadhani, & Mandala, 2.
Max pooling is the most common polling process, while the average pooling method is rarely used (Michelucci, 2.
Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
The CNN architecture in this study uses the VGG-19 model.
The architecture consists of 16 convolutional layers, 5 pooling layers, and 3 fully-connected layers.
CNN architecture as a whole, there are 24 layers and 19 layers that have weight, because the pooling layer has no weight.
In the fully connected layer, each neuron has full connection to all activations in the previous layer.
The convolutional layer used in this study has a different number of filters.
Conv-1 has 64 filters.
Conv-2 has 128 filters.
Conv-3 has 256 filters, while Conv-4 and Conv-5 have 512 filters.
In the VGG-19 architecture, the activation layer used is ReLU or Rectified Linear Unit.
The ULT function will apply the maximum activation function f .
= max .
, .
If the value of x is negative, then its function will set the return value to zero.
Meanwhile, if the value of x is positive, then its function will set the return value in accordance with x.
The loss function used in this study is binary classification.
This is because the IDS system functions to detect only two statuses or two classes, namely DoS attack conditions or normal network conditions.
2 DoS Attack The types of DoS attacks that are simulated in this study are SYN Flood.
UDP Flood, and Ping of Death, which are the most common types of attacks in 2015.
In general, a DoS attack sends many request packets to make the computer network down.
In a SYN Flood attack, the attacker sends multiple SYN packets so the target is forced to continue responding to these packets by repeatedly sending SYN ACK packets.
In reality, when an attacker uses a SYN Flood it is only intended to overrun the target and does not intend to establish a connection using the Transmission Control Protocol (TCP).
In a UDP Flood attack, the attacker takes advantage of the User Datagram Protocol (UDP) characteristic that can directly send packets to the target without the need to make a connection like TCP.
With the large amount of data sent by the attacker suddenly, it makes the target down.
In a Ping of Death attack, the attacker sends many ping packets to the target so that the target becomes overwhelmed and has to reply to all of the ping packets.
Although generally the length of a ping packet is only 32 bytes, but the ping packet size can be set up to a maximum of 65 KB.
With such a large number of ping packet traffic in a DoS attack, the network can crash.
3 Dataset Examples of log data from Wireshark can be seen in Table 1.
There are 10 packet parameters used as input on CNN, namely the source IP address, source port, destination IP address, destination port, protocol, packet length, data length, data in hexadecimal form, text data, and package information.
Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
Table 1.
Log Data for CNN Input (Source: Kurniawan, 2.
From all the Wireshark log results, the data will be divided into two parts, 80% for training data and 20% for test data.
And also, in the training process, for each variation of the number of iterations will be ran for 10 times, ranging from 10 iterations to 100 iterations with multiples of 10.
4 Data Normalization Because the CNN method is generally used for image input data, the Wireshark log data in the form of text must first be determined using the ASCII code so that it becomes a value between 0 and 255.
This corresponds to the color value in an image pixel, expressed in bytes.
After the data is converted into byte values, the data is arranged into a 32x32x3 three-dimensional matrix.
Size 3 in the third dimension resembles the number of layers in a color image, which consists of layers of red, green, and While the size 32x32 is intended to form an image with a size of 1024 pixels.
Figure 2.
Normalization of Data for CNN Input (Source : Kurniawan, 2.
Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
If the number of pixels in the CNN input image is counted, then the number will require 3072 data.
When the data for one packet from the Wireshark log is less than 3072 bytes of data, then the data will be duplicated until one packet can meet the 3072 pixel images needed as one CNN input data.
5 Accuracy Calculation This attack detection system is a system that only decides a binary value, so testing the IDS system can be done by calculating the True Positive Rate (TPR) value and the False Positive Rate (FPR) value.
From the TPR and FPR values, the level of accuracy of the attack detection system using the CNN method can be analyzed.
The TPR value is obtained from equation 1.
The True Positive (TP) value is obtained from the number of DoS attack data that is correctly detected as an attack, while the False Negative (FN) value is the amount of DoS attack data that is incorrectly detected as normal traffic.
ycNycEycI = ycNycE AE.
cNycE yaycA) The FPR value is obtained from equation 2.
The False Positive (FP) value is obtained from the amount of normal traffic data that is incorrectly detected as an attack, while the True Negative (TN) value is the amount of normal traffic data that is correctly detected as not an attack.
yaycEycI = yaycEAE.
aycE ycNycA) RESULT AND DISCUSSION 1 CNN Accuracy Testing Against Data Variations The purpose of this test is to test how accurate the CNN system is in detecting DoS attacks with varying data.
The variation data used is taken from the results of capturing the wireshark log which is done 5 times with the wireshark capturing for about 5 minutes.
From the log results, different traffic logs are obtained with different amounts of data.
This log data will then be normalized first which will then be inputted into CNN.
Table 2.
The Results of Testing The Accuracy of CNN on Data Variations Total Network Activity Loss (%) Accuracy (%) Data Normal (%) DoS (%) (Source: Kurniawan, 2.
Table 2 shows the results of the CNN test on data variations.
From table 2 the test results can be seen that the total amount of data generated when the wireshark captures varies with the same duration for approximately 5 minutes.
The resulting percentage for normal network activity averaged 64.
49% and the average DoS attack activity percentage In testing, a training process was carried out with a total of 50 iterations for all data, and the smallest loss was 96% and the greatest was 5.
76% and the accuracy results were 99% for all data testing.
Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
Figure 3.
The Results of Normalization of Test Data are Plotted Into Pictures.
(Source: Kurniawan, 2.
Figure 3 shows the results of the data that have gone through the data normalization process and then plotted into a picture.
This is done because the neural network used in this Final Project research uses images as input.
Samples Indentified by VGG19 Samples Normal Dos Attack Playload Types Figure 4.
Network Activity Bar Graph (Sumber: Kurniawan, 2.
Figure 4 shows the bar graph of the CNN detection results between DoS attack activity and non-DoS attack.
The data used in this detection uses separate test data from training data.
Figure 5.
Loss Chart of The Training Process And The Validation Process With 50 Iterations (Sumber: Kurniawan, 2.
Figure 6.
Graph Accuracy Training Process And Validation Process With 50 Iterations Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
(Sumber: Kurniawan, 2.
Figure 5 and Figure 6 show the loss graph and accuracy graph for the training process and the validation The training process on the loss chart shows the initial results of the loss above 10% at the beginning of the training process then decreases by less than 10 iterations and the results of the loss for the validation process show the results of 5% at the beginning of the training process.
The accuracy results during the training process showed a result of 97% at the beginning of the training process then increased to 99% after going through 10 iterations.
2 CNN Accuracy Testing Against Training Process Iteration Variations The purpose of this test is to see the effect of CNN's accuracy in detecting DoS attacks on variations in the length of the training process with varying data.
The variation in the training process is meant to change the number of The results of tests carried out using 5 different data from the previous test.
The training process is carried out 10 times for each data with the number of iterations between 10 and 100 with multiples of 10.
Table 3.
The Results of The 1st Test for CNN's Accuracy Against Variations In The Training Process Iteration No Total
Long Training Network Activity Long
Loss (%) Accuracy Data
Process (Total Time
(%)
Iteras.
Normal (%) DoS (%) Source : Kurniawan, 2.
Table 4.
The Results of The 2nd Test for CNN's Accuracy Against Variations In The Training Process Iteration No Total
Long Training Network Activity Long
Loss (%) Accuracy Data
Process (Total Time
(%)
Iteras.
Normal (%) DoS (%) Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
Source : Kurniawan, 2.
Table 5.
The Results of The 3rd Test for CNNAos Accuracy Against Variations In The Training Process Iteration No Total Long Training Network Activity Long
Loss (%) Accuracy Data
Process (Total Time
(%)
Iteras.
Normal (%) DoS (%) Source : Kurniawan, 2.
Table 6.
The Results of The 4th Test for CNN's Accuracy Against Variations In The Training Process Iteration No Total Long Training Network Activity Long
Loss (%) Accuracy Data
Process (Total Time
(%)
Iteras.
Normal (%) DoS (%) Source : Kurniawan, 2.
Table 7.
The Results of The 5th Test for CNN's Accuracy Against Variations In The Training Process Iteration No Total Long Training Network Activity Long
Loss (%) Accuracy Data
Process (Total Time
(%)
Iteras.
Normal (%) DoS (%) Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
Source : Kurniawan, 2.
Table 3 to table 7 shows the results of the CNN test on the variation iteration of the training process.
From table 3 to table 7, it can be seen that the percentage results of network activity have begun to vary with the variation in the input data entered into CNN.
The length of time the training process takes the longer the number of iterations However, the amount of data entered can affect the length of time the training process takes.
For the least amount of data in the first test, the time required for the training process with 100 iterations is 1056 seconds or 17 minutes 36 seconds.
Whereas in the second test with the most amount of data it took 1919 seconds or 31 minutes 59 For the resulting accuracy results an average of 99.
17% and an average of 4.
In several experiments the amount of data affects the results of the CNN process carried out, by having a large number of datasets the better the results will be obtained.
3 TPR and FPR Testing of DoS Attack Detection Results The purpose of this test is to know and see the results of the ROC Curve.
This ROC Curve is a graph showing the result of the value between the True Positive Rate and the False Positive Rate.
This ROC Curve value will be used to find out how well the CNN system is correct in predicting.
Figure 7.
The ROC Curve Graphic (Source: Kurniawan, 2.
Figure 8.
The ROC Curve Graph Is Enlarged at The Top Left (Source: Kurniawan, 2.
Figure 7 and Figure 8 show the results of the TPR and FPR testing of the DoS attack detection results.
From the test results, each test data was carried out for 5 experiments with different iterations with the aim of whether the effect of different iterations could provide significant results on TPR and FPR.
Figure 7 is the original graph when Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
plotted and Figure 8 is the result of the graph that has been enlarged to the upper left to see in more detail, from Figure 7 the graph results can be seen that the ROC Curve value is obtained at 1.
For the graph results from Figure 7, this coverage is visible because CNN requires more datasets to input and CNN only detects 2 classes whether it is a DoS attack or not a DoS attack.
Figure 9.
Confusion Matrix (Source: Kurniawan, 2.
Confusion matrix results are obtained where the confusion matrix output is in the form of a table in which the column section is the true and false prediction column, and in the row section is the actual true and false row.
The confusion matrix value in each of these test results is related to the ROC Curve graph.
By using the values from the confusion matrix, values for other parameters such as accuracy, precision.
TPR.
FPR can be generated.
CONCLUSION
The conclusions obtained from the research results.
IDS using deep learning for detection of DoS attacks are as By using wireshark log data and through data processing, the normalization of IDS implementation using deep learning can be done.
IDS results using Deep Learning can detect network activity between Dos attacks and non-DoS attacks in the form of a bar graph.
In testing the CNN accuracy of data variations by running 5 test data, the results obtained an average accuracy 32% with an average loss of 4.
In the CNN accracy test of the various iterations of the training process, 5 test data were run with each data being carried out 10 experiments with different iterations, then the results were obtained that the increasing number of iterations the time it takes to conduct training will be longer and the amount of data inputted will also affect the length of time the training process.
For the resulting accuracy an average of 99.
17% with an average loss of 4.
The results of the True Positive Rate and False Positive Rate are obtained by running 5 test data where each data is carried out 5 times with different iterations then the results of 5 experiments are presented in one graph, with the area value under the ROC Curve for the 5 test data of 1.
SUGESSTION
For further research on IDS using deep learning, the suggestions to be conveyed are as follows :
Added the attack method used so that it can test CNN in detecting variations in the types of attacks that are The inputted data can be added even more, by adding attack methods and the data inputted more, can be further analyzed for the results of loss, accuracy.
FPR, and TPR.
Journal of Electrical Engineering and Computer Sciences Vol.
Issue 2.
Desember 2021
P-ISSN: 2528-0260 E-ISSN: 2579-5392
For maximum results, the implementation of IDS using Deep Learning can be done on a real computer network so that the data that will be inputted into CNN corresponds to real data that occurs in actual computer network activities.
REFERENCES