User behavior based host-level intrusion detection using deep neural network

Abstract

Intrusion detection is a relevant field of information security, and different artificial intelligence methods are used to identify cyberattacks and anomalies in the networks and hosts. In this research, we address the problem of identifying host-level intrusion detection through time-series data analysis of user behavior. Data such as TCP/IP connections, size of transferred data, and running processes in the host were analyzed. A specialized tool was developed to build a dataset from Windows-based desktop by gathering data of Windows users' normal and abnormal behaviors. The following unauthorized actions as permission escalation, transferring of sensitive user data, SSH service launching, or session opening were treated as intruder activities. Gathered data was proceeded using MD5 feature hashing and normalized, applying min-max scaling or L2 norm depending on the data type. A deep learning approach using LSTM autoencoder was implemented for host intrusion detection. The model was trained until 100 epochs using a dataset collected during two days, while the third day’s data were used for model testing. Analysis of the resulting accuracy of the model was performed, and the highest accuracy of 78.57% was achieved when nine records grouped the data. Finally, results were compared with the public dataset ADFA-LD, and corresponding conclusions were made.