Hybrid intrusion detection and signature generation using Deep Recurrent Neural Networks

  • Sanmeet KaurEmail author
  • Maninder Singh
Hybrid Artificial Intelligence and Machine Learning Technologies


Automated signature generation for Intrusion Detection Systems (IDSs) for proactive security of networks is a promising area of research. An IDS monitors a system or activities of a network for detecting any policy violations or malicious actions and produces reports to the management system. Numerous solutions have been proposed by various researchers so far for intrusion detection in networks. However, the need to efficiently identifying any intrusion in the network is on the rise as the network attacks are increasing exponentially. This research work proposes a deep learning-based system for hybrid intrusion detection and signature generation of unknown web attacks referred as D-Sign. D-Sign is capable of successfully detecting and generating attack signatures with high accuracy, sensitivity and specificity. It has been for attack detection and signature generation of web-based attacks. D-Sign has reported significantly low False Positives and False Negatives. The experimental results demonstrated that the proposed system identifies the attacks proactively than other state-of-the-art approaches and generates signatures effectively thereby causing minimum damage due to network attacks.


Deep learning Intrusion Detection System LSTM Attack detection Signature generation Machine learning Web attacks Zero-day attack 



  1. 1.
    Kaur S, Singh M (2013) Automatic attack signature generation systems: a review. IEEE Secur Priv 11(6):54–61CrossRefGoogle Scholar
  2. 2.
    Kreibich C, Crowcroft J (2004) Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Comput Commun Rev 34(1):51–56CrossRefGoogle Scholar
  3. 3.
    Kim HA, Karp B (2004) Autograph: toward automated, distributed worm signature detection. In: 13th usenix security symposium (Security 2004), San Diego, CA, pp 271–286Google Scholar
  4. 4.
    Singh S, Eitan C, Varghese G, Savage S (2004) Automated worm fingerprinting. In: 6th conference on symposium on operating systems design and implementation (OSDI). USENIX Association, Berkeley, CA, USA, pp 45–60Google Scholar
  5. 5.
    Singh S, Estan C, Varghese G, Savage S (2003) Earlybird system for real-time detection of unknown worms. Department of Computer Science and Engineering, University of California, San DiegoGoogle Scholar
  6. 6.
    Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds) Recent advances in intrusion detection, vol 3224. Springer, Berlin, Heidelberg, pp 203–222CrossRefGoogle Scholar
  7. 7.
    Liang Z, Sekar R (2005) Automatic generation of buffer overflow attack signatures: an approach based on program behavior models. In: 21st annual computer security applications conference, Tucson, Arizona, USA, pp 1–10Google Scholar
  8. 8.
    Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worm. In: IEEE symposium on security and privacy. IEEE Press, Oakland, pp 226–241Google Scholar
  9. 9.
    Yegneswaran V, Giffin JT, Barford P, Jha S (2005) An architecture for generating semantic aware signatures. In: USENIX security symposium, pp 97–112Google Scholar
  10. 10.
    Tang Y, Chen S (2005) Defending against internet worms: a signature based approach. In: IEEE INFOCOM’2005. IEEE Press, Miami, pp 1384–1394Google Scholar
  11. 11.
    Costa M, Crowcroft J, Castro M, Rowstron A, Zhou L, Zhang L, Barham P (2005) Vigilante: end-to-end containment of Internet worms. In: 20th ACM symposium on operating systems principles (SOSP’05), New York, USA, pp 133–147Google Scholar
  12. 12.
    Portokalidis G, Slowinska A, Bos H (2006) Argos: an emulator for fingerprinting zero-day attack. In: International conference of ACM SIGOPS EUROSYS, Leuven, Belgium, pp 15–28Google Scholar
  13. 13.
    Li Z, Sanghi M, Chen Y, Kao M, Chavez B (2006) Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE symposium on security and privacy (S&P’06). IEEE Computer Society, Washington, pp 32–47Google Scholar
  14. 14.
    Mohammed MMZE, Chan HA, Ventura N (2008) Honeycyber: automated signature generation for zero-day polymorphic worms. In: IEEE military communications conference (MILCOM), San Diego, CA, pp 1–6Google Scholar
  15. 15.
    Portokalidis G, Bos H (2008) Eudaemon: involuntary and on-demand emulation against zero-day exploit. In: 3rd international conference on ACM SIGOPS/EuroSys European conference on computer systems, New York, USA, pp 287–299Google Scholar
  16. 16.
    Griffin K, Schneider S, Hu X, Chiueh T (2009) Automatic generation of string signatures for malware detection. In: 12th international symposium on recent advances in intrusion detection. Springer, Berlin, pp 101–120Google Scholar
  17. 17.
    Kim I, Kim D, Choi Y, Kang K, Oh J, Jang J (2009) Validation methods of suspicious network flows for unknown attack detection. Int J Comput 3(1):104–114Google Scholar
  18. 18.
    Werner T, Fuchs C, Gerhards-Padilla E, Martini P (2009) Nebula-generating syntactical network intrusion signatures. In: 2009 4th international conference on malicious and unwanted software (MALWARE). IEEE, pp 31–38Google Scholar
  19. 19.
    Tahan G, Glezer C, Elovici Y, Rokach L (2010) Auto-Sign: an automatic signature generator for high-speed malware filtering devices. J Comput Virol 6(2):91–103CrossRefGoogle Scholar
  20. 20.
    Shabtai A, Menahem E, Elovici Y (2011) F-sign: automatic, function-based signature generation for malware. IEEE Trans Syst Man Cybern Part C Appl Rev 41(4):494–508CrossRefGoogle Scholar
  21. 21.
    Maimó LF, Gómez ÁLP, Clemente FJG, Pérez MG, Pérez GM (2018) A self-adaptive deep learning-based system for anomaly detection in 5G networks. IEEE Access 6:7700–7712CrossRefGoogle Scholar
  22. 22.
    Wang W, Sheng Y, Wang J, Zeng X, Ye X, Huang Y, Zhu M (2018) HAST-IDS: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6:1792–1806CrossRefGoogle Scholar
  23. 23.
    Yin C, Zhu Y, Fei J, He X (2017) A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5:21954–21961CrossRefGoogle Scholar
  24. 24.
    Mohammadi S, Namadchian A (2017) A new deep learning approach for anomaly base IDS using memetic classifier. Int J Comput Commun Control 12(5):677–688CrossRefGoogle Scholar
  25. 25.
    Yuan X, Li C, Li X (2017) DeepDefense: identifying DDoS attack via deep learning. In: 2017 IEEE international conference on smartcomputing (SMARTCOMP). IEEE, pp 1–8Google Scholar
  26. 26.
    Azzouni A, Pujolle G (2017) A long short-term memory recurrent neural network framework for network traffic matrix prediction. arXiv preprint arXiv:1705.05690
  27. 27.
    Kim J, Shin N, Jo SY, Kim SH (2017) Method of intrusion detection using deep neural network. In: 2017 IEEE international conference on big data and smart computing (BigComp). IEEE, pp 313–316Google Scholar
  28. 28.
    Tang TA, Mhamdi L, McLernon D, Zaidi SAR, Ghogho M (2016) Deep learning approach for network intrusion detection in software defined networking. In: 2016 international conference on wireless networks and mobile communications (WINCOM). IEEE, pp 258–263Google Scholar
  29. 29.
    Sheikhan M, Jadidi Z, Farrokhi A (2012) Intrusion detection using reduced-size RNN based on feature grouping. Neural Comput Appl 21(6):1185–1190CrossRefGoogle Scholar
  30. 30.
    Ma T, Wang F, Cheng J, Yu Y, Chen X (2016) A hybrid spectral clustering and deep neural network ensemble algorithm for intrusion detection in sensor networks. Sensors 16(10):1701CrossRefGoogle Scholar
  31. 31.
    Shahriar H, Bond W (2017) Towards an attack signature generation framework for intrusion detection systems. In: Dependable, autonomic and securecomputing, 5th international conference on pervasive intelligence and computing, 3rd international conference on bigdata intelligence and computing and cyber science and technology congress(DASC/PiCom/DataCom/CyberSciTech), 2017 IEEE 15th international. IEEE, pp 597–603Google Scholar
  32. 32.
    Choi S, Lee J, Choi Y, Kim J, Kim I (2016) Hierarchical network signature clustering and generation. In: 2016 international conference on information and communication technology convergence (ICTC). IEEE, pp 1191–1193Google Scholar
  33. 33.
    Lee S, Kim S, Lee S, Yoon H, Lee D, Choi J, Lee JR (2016) LARGen: automatic signature generation for Malwares using latent Dirichlet allocation. IEEE Trans Depend Secure Comput 15(5):771–783CrossRefGoogle Scholar
  34. 34.
    Wang Y, Xiang Y, Zhou W, Yu S (2012) Generating regular expression signatures for network traffic classification in trusted network management. J Netw Comput Appl 35(3):992–1000CrossRefGoogle Scholar
  35. 35.
    Gallagher B, Eliassi-Rad T (2008) Classification of HTTP attacks: a study on the ECML/PKDD 2007 discovery challenge. In: Center for Advanced Signal and Image Sciences (CASIS) workshop, pp 1–8Google Scholar
  36. 36.
    Open Web Application Security Project (OWASP) Top 10 (2017). Accessed 15 Jul 2018
  37. 37.
    Ukkonen E (1995) On-line construction of suffix trees. Algorithmica 14(3):249–260MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag London Ltd., part of Springer Nature 2019

Authors and Affiliations

  1. 1.Computer Science and Engineering DepartmentThapar University PatialaPunjabIndia

Personalised recommendations