Visible to the public Authenticating IDS autoencoders using multipath neural networks

Submitted by grigby1 on Thu, 10/20/2022 - 3:16pm
TitleAuthenticating IDS autoencoders using multipath neural networks
Publication TypeConference Paper
Year of Publication2021
AuthorsLarsen, Raphaël M.J.I., Pahl, Marc-Oliver, Coatrieux, Gouenou
Conference Name2021 5th Cyber Security in Networking Conference (CSNet)
Date Publishedoct
KeywordsArtificial neural networks, composability, integrated circuits, Intrusion detection, measurement uncertainty, Metrics, pubcrawl, resilience, Resiliency, security, Sensor phenomena and characterization, Sensor systems, Windows Operating System Security
AbstractAn Intrusion Detection System (IDS) is a core element for securing critical systems. An IDS can use signatures of known attacks, or an anomaly detection model for detecting unknown attacks. Attacking an IDS is often the entry point of an attack against a critical system. Consequently, the security of IDSs themselves is imperative. To secure model-based IDSs, we propose a method to authenticate the anomaly detection model. The anomaly detection model is an autoencoder for which we only have access to input-output pairs. Inputs consist of time windows of values from sensors and actuators of an Industrial Control System. Our method is based on a multipath Neural Network (NN) classifier, a newly proposed deep learning technique. The idea is to characterize errors of an IDS's autoencoder by using a multipath NN's confidence measure \$c\$. We use the Wilcoxon-Mann-Whitney (WMW) test to detect a change in the distribution of the summary variable \$c\$, indicating that the autoencoder is not working properly. We compare our method to two baselines. They consist in using other summary variables for the WMW test. We assess the performance of these three methods using simulated data. Among others, our analysis shows that: 1) both baselines are oblivious to some autoencoder spoofing attacks while 2) the WMW test on a multipath NN's confidence measure enables detecting eventually any autoencoder spoofing attack.
DOI10.1109/CSNet52717.2021.9614279
Citation Keylarsen_authenticating_2021
Groups: