Reinforcement Learning for Intrusion Detection:More Model Longness and Fewer Updates

Authors: Roger R. dos Santos Eduardo K. Viegas, Altair Santin,Member, IEEE, and Vinicius V. Cogo

Abstract: In the literature, intrusion detection approaches assume model updates can be easily performed periodically, despite not being easily feasible in real-world settings. This paper proposes a novel intrusion detection based on a reinforcement learning approach that withstands long periods without model updates, split into two developing strategies. First, our proposal applies machine learning models as a reinforcement learning task aiming for longness - higher classification reliability and accuracy over time. Second, model updates are performed through a transfer learning technique applied into a sliding-window mechanism that significantly decreases the need for computational resources and human intervention. Experiments performed using a novel dataset that spans $8$TB of data and four years of real network traffic indicate that current approaches in the literature cannot cope with network traffic's evolving behavior. Nonetheless, the proposed technique without model updates reaches accuracy rates similar to traditional detection schemes with semestral updates. In the case of performing updates in our proposed model, it decreases the false positives up to 8%, false negatives up to 34%, and accuracy variation to only 6% compared to others. In contrast, the update task requires only 7-days of training data and almost 5 times fewer computational resources.

Dataset Download:

2016.zip
2017.zip
2018.zip
2019.zip