Machine learning is an effective analysis tool to tackle the challenges to detect any suspicious events in the network traffic flow. In this paper, our major contribution is to process and transform the CIRA-CIC-DoHBrw-2020-time series dataset to train deep learning models for network intrusion detection. The main focus of our detection algorithms is to classify the data in a two-layer network approach. At the first layer, we classify DNS over HTTPS (DoH) and non-DoH traffic, and at the second layer, we characterize benign-DoH and malicious-DoH. We use 26 features out of the 34 features describing every pattern of network traffic. We use the DoH predictions in the first layer and pass it to the second layer for characterization of benign or malicious DoH. We then feed data to a fully connected neural network and four types of Recurrent Neural Networks. They are the Long Short-Term Memory, Bidirectional Long Short-Term Memory, Gated Recurrent Unit, and Deep Recurrent Neural Network. The proposed methods are simple and efficient, so that they can be applied to computer systems with limited resources. The generated models are small, so that they can be easily and quickly deployed into the internet network environment.
Companion
APSIPA Transactions on Signal and Information Processing Special Issue - Learning, Security, AIoT for Emerging Communication/Networking Systems
See the other articles that are part of this special issue.