Intrusion Detection Using Payload Embeddings

TL;DR: This study proposes a payload-based intrusion detection scheme, <monospace>PayloadEmbeddings</monospace>, using byte embeddings of the payloads of network packets, using a shallow neural network to generate vector representations for bytes and their corresponding payloads.

Abstract: Attacks launched over the Internet often degrade or disrupt the quality of online services. Various Intrusion Detection Systems (IDSs), with or without prevention capabilities, have been proposed to defend networks or hosts against such attacks. While most of these IDSs extract features from the packet headers to detect any irregularities in the network traffic, some others use payloads alongside the headers. In this study, we propose a payload-based intrusion detection scheme, <monospace>PayloadEmbeddings</monospace>, using byte embeddings of the payloads of network packets. We employ a shallow neural network to generate vector representations for bytes and their corresponding payloads. Our feature extraction technique is coupled with the <inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>-Nearest Neighbours (<inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>NN) algorithm for the classification of packets as intrusive or non-intrusive. In our experiments, we evaluated 34 publicly available datasets, and used ten distinct payload-based, labeled intrusion detection datasets to train and evaluate our approach. Our empirical results show that <monospace>PayloadEmbeddings</monospace> reaches between 75% and 99% accuracy across all datasets. Finally, we compare our approach to other state-of-the-art and traditional intrusion detection techniques. Our findings suggest that <monospace>PayloadEmbeddings</monospace> demonstrates significant advantages over the other techniques on most of the datasets.