Network Intrusion Detection(NID) Using Neural Networks on FPGA SoCs
After getting to know various approaches to detect hardware trojan from neural networks from Hardware Trojan Detection through Backpropagation Neural Network blog, now we will see the proposed architecture for Network Intrusion Detection(NID) Using Neural Networks on FPGA SoCs.
Network security is becoming a necessity as more and more systems become interconnected through the internet. Much research has been conducted on large appliances for network security, but these do not scale well to lightweight systems such as those used in the Internet of Things (IoT) domain. Meanwhile, the low-power processors used in IoT devices do not have the required performance for the detailed packet analysis. This time we will see a proposed approach for network intrusion detection using neural networks, implemented on FPGA SoC devices that can achieve the required performance on embedded systems. The proposed design is flexible, allowing model updates to adapt to emerging attacks.
The IoT domain is the emerging technology that will connect every small device to the internet where it will send its data and the processing part is done in the cloud which will provide appropriate responses. Having this kind of advantage from this kind of technology will be very useful but, at the same time, there remains a major threat from malicious activities where the third party could take advantage of one small device connected to the system and corrupt the entire system itself.
Intrusion Detection Systems (IDSs) collect and analyze information from the systems within a network for malicious attack detection. Detection can be logged as an event of interest or trigger a defense mechanism to deal with the event in real-time. Mainstream IDSs use methods like pattern matching, string matching, multi-match packet classification, and regular expressions for operation. These computationally complex approaches are often implemented using hardware accelerators on FPGAs or ASICs or run on highly parallel multi-core processors or GPUs that enable them to process network traffic at the high rates required. Hence, such complex systems are usually integrated within the network infrastructure of large organizations.
This proposed architecture where Neural Network is designed to act as an IoT gateway, that processes packets at line rate while enabling model parameter updates to adapt to changing requirements.
Intrusion Detection Systems (IDSs) can be divided into two different categories, according to the detection method used: (i)Signature (or misuse) based: Captured data is compared against a database containing signatures of known attacks. (ii)Anomaly-based: Captured data is compared against a model of the expected normal behavior of the system. If a deviation is observed then a malicious attack has been detected. There are some disadvantages for each method so, Hybrid implementations of signature and anomaly-based IDSs present a more robust approach since one method complements the other, though these still require significant computing power.
The reason for using Machine learning algorithms is it has a good way to generalize their learned pattern to new, unknown data and we also need to consider IoT, as a developing domain, will entail evolving traffic patterns as it finds more uses, so the safe patterns of communication are themselves evolving, and hence an adaptable approach to intrusion detection is needed.
Neural networks are computational models which are inspired by human cognition, which can model complex non-linear functions that correlate inputs and expected outputs. They have successfully been applied in a broad range of fields, from automotive to medical applications. Each neuron calculates the weighted sum of its inputs and adds this to an offset value (bias), passing the result to an activation function. NNs comprise a sequence of neuron layers propagating results between them and later updating these weights and biases to get better accuracy. Various types of neural network architecture or methods are already implemented like PCA, Decision Tree, ANN, SNN, CNN, RNN, Resnet50, Google Net ranging their test accuracy from 70% to 85%.
NSL-KDD dataset, a labeled dataset for supervised learning is the most widely used malicious activity detection dataset. The dataset each entry comprises 41 features categorized into 3 groups (i) Basic features: features that are extracted from a TCP/IP connection. (ii)Traffic features: features that are generated within a window of the last 100 connections, to enable detection of longer probe attacks. (iii)Content features: that are extracted from the packets’ data and provide the means to detect attacks with infrequent sequential patterns. The dataset contains 22 attack types, divided into 4 main malicious categories: DoS (Denial of Service), Probe, R2L (Remote to Local), and U2R (User to Root). In the training process model, categorical features are mapped to one-hot encoded.
TensorFlow is used to train the Neural network with 29 input features, 21 hidden neurons, and 2 binary output neurons. The proposed NN was trained with the ReLU activation function, Adam optimizer, using the cross-entropy loss function (that also includes softmax) with weights and biases randomly initialized. They further determine some training parameters experimentally, such as the learning rate and batch size, these are tested by well-known accuracy measures like TP, TF, and F1 score. The proposed neural network gives train accuracy of about 96% and test accuracy of 80%.
For the hardware implementation, they have used d Xilinx Vivado HLS 2016.4 targeting the Xilinx Zynq Z-7020 FPGA which is designed to act as an IoT gateway, securing the network for a group of less capable devices. This proposed architecture represents an approach for network intrusion detection using NNs on FPGA SoCs. The topology of the NN maintains moderate computational complexity for a hardware implementation that can be deployed on any given Xilinx Zynq device. It also allows runtime configuration of neural network parameters to allow for updates to address new and unknown emerging attacks. They have used TensorFlow to train the proposed NN using the NSL-KDD dataset, obtaining at best 80.52% accuracy on the test dataset. The proposed hardware accelerator is 161.7× faster than the software execution on the Zynq Arm core, allowing it to detect malicious packets within a single packet window for 1Gbps and 10Gbps. In the future, they aim to explore approaches to reduce latency by implementing various NN architecture to get better results, and also such it can be implemented in real time.
I hope you got to learn something new today from this series of 4 blogs where we got to know how people have malicious activities like hardware trojan and DOS are dangerous for an SoC and how neural network could help us to detect before any mishap.
Thank you very much! Till then Stay safe, Stay connected, and be aware!
