We implement the recently proposed Broad Learning System (BLS) and its extensions to detect network anomalies and intrusions.
Developed Python code includes modules for BLS, RBF-BLS, cascades of mapped features (CFBLS), cascades of enhancement nodes (CEBLS),
and cascades of mapped features and enhancement nodes (CFEBLS) models as well as their incremental learning variants.
We evaluate the performance of the BLS models by employing datasets from the Canadian Institute for Cybersecurity Intrusion (CIC)
Detection System (CICIDS2017) and the collaborative project between the Communications Security Establishment (CSE)
and the CIC (CSE-CIC-IDS2018) containing DoS attacks.
The algorithms are compared based on accuracy, F-Score, and training time.
The CICIDS2017 dataset includes
intrusions that rely on various network vulnerabilities and
were executed using malicious attack tools: Patator, Slowloris, Heartleech, Damn Vulnerable Web App, Metasploit, Ares, and Low Orbit Ion Cannon.
Extraction of 84 features including duration, size of packets, number of packets, and number of bytes
was performed using an application for generating and analyzing network traffic flows.
We use DoS data collected on Wednesday, 05.07.2017 and labeled Slowloris, Hulk, GoldenEye, and SlowHTTPTest having 5,796, 230,124, 10,293, and 5,499 intrusions, respectively.
The recent CSE-CIC-IDS2018 testbed for intrusion detection
is a collaborative project between CSE and CIC.
The attacker-network includes 50 terminals while the victim-network is implemented as a Local Area Network (LAN)
with 420 terminals and 30 servers divided into 5 subnets.
The Ubuntu and MS Windows 8.1 and 10 were used for host machines while MS Windows 2012 and 2016
were used for servers.
Both victim and attacker networks were implemented using the Amazon Web Services computing platform.
The CSE-CIC-IDS2018 dataset was captured over ten days between Wednesday 14.02.2018 and Friday 02.03.2018 and includes
attack scenarios, date, and start and end times of the attack(s).
Extracted are 83 features including flow duration, maximum/minimum packet size, flow packets rate.
We consider DoS attacks GoldenEye and Slowloris collected on Thursday, 15.02.2018 from 09:26 to 10:09
and from 10:59 to 11:40, respectively.
The latest version (V.1.0.1) of the BLS code is available at:
BLS_SFU_CNL_V1.0.1.zip
The CICIDS2017 containing Brute Force attack is available at:
CICIDS2017_BruteForce_Dataset.zip
The CICIDS2017 containing DoS attack is available at:
CICIDS2017_DoS_Dataset.zip
The CSE-CIC-IDS2018 containing DoS attack is available at:
CSE-CIC-IDS2018_DoS_Dataset.zip
> python3 xxx.py
If you have any questions, please contact Zhida Li at <zhidal at sfu.ca>.
Download BLS
Download CICIDS2017 and CSE-CIC-IDS2018 Datasets
Run the Python code
The following Python files are needed to run the code:
- BLS_demo_for_lower_memory.py
- BLS_incremental_demo_lower_memory.py
Type the following command in the directory BLS_SFU_CNL_V1.0.1:
Note: xxx.py are Python files.
Related Publications
Questions