Conceitos essenciais
Genos, a general in-network framework for unsupervised anomaly-based network intrusion detection, achieves high throughput, interpretability, and trivial updating overhead by extracting model-agnostic rules.
Resumo
The paper proposes Genos, a general in-network framework for unsupervised anomaly-based network intrusion detection (A-NIDS). Genos consists of three modules:
- Model Compiler:
- Adopts a divide-and-conquer approach to extract model-agnostic rules from the A-NIDS source model.
- Utilizes a Score Clustering Tree to partition the feature space into subspaces based on the source model's anomaly scores.
- Designs a Decision Boundary Estimation method to approximate the decision boundaries of the source model in each subspace using axis-aligned rules.
- Translates the extracted rules into P4 tables for efficient in-network deployment.
- Model Interpreter:
- Provides interpretable explanations for anomaly detections by analyzing the feature deviations from the extracted rules.
- Outperforms a state-of-the-art interpretation method (LIME) in terms of efficiency and accuracy.
- Model Debugger:
- Identifies and updates the rules responsible for false positives through two modes: patching mode and excluding mode.
- Enables incremental updates by only fine-tuning the affected rules, reducing the overhead compared to retraining the source model.
Genos is implemented on a commodity programmable switch, achieving a throughput of around 100 Gbps, high interpretability, and trivial updating overhead, outperforming several prior works.
Estatísticas
The network traffic datasets used are CIC-IDS and TON-IoT, containing a wide range of realistic attack traffic.
The source A-NIDS models (autoencoder, variational autoencoder, one-class SVM, isolation forest) achieve AUC scores ranging from 0.9879 to 0.9998 on the datasets.