Intrusion Detection with Deep Learning Classifiers: A Synergistic Approach of Probabilistic Clustering and Human Expertise to Reduce False Alarms

Abstract

Intrusion detection systems (IDS) have seen an increasing number of proposals by researchers utilizing deep learning (DL) to safeguard critical networks. However, they often suffer from high false alarm rates, posing a significant challenge to their deployment in critical networks. This paper presents a comprehensive human-machine framework for mitigating false alarms in DL-based intrusion detection systems. The proposed approach uses probabilistic clustering to enable human-machine collaboration in a synergistic manner. Probabilistic clustering involves regrouping network traffic into clusters based on their probabilities (computed using the DL model). Clusters with high false alarms (H-FAR) are detected, and all traffic falling within them is considered uncertain for efficient classification by the DL model as malicious or benign. They are redirected to human experts to analyze and make a final decision. The proposed framework incorporates a next-generation firewall (NGFW) to help human experts handle the processed traffic efficiently. The proposed framework enhances the performance of DL-based intrusion detection classifiers by reducing false alarms. To validate the proposed concept, assessments were conducted using a customized high-performance convolutional neural network (CNN) and a hybrid recurrent neural network (RNN) model with three open-access benchmark datasets (CICDDoS2019, UNSW-NB15, and CICIDS2017). The evaluation through simulation demonstrated that combining human expertise with deep learning technology can significantly reduce the number of false positives (FPs) and false negatives (FNs) by up to 79.61% and