Manchester Metropolitan University's Research Repository

A Multiple-Layer Representation Learning Model for Network-Based Attack Detection

Zhang, Xueqin, Chen, Jiahao, Zhou, Yue, Han, Liangxiu ORCID logoORCID: https://orcid.org/0000-0003-2491-7473 and Lin, Jiajun (2019) A Multiple-Layer Representation Learning Model for Network-Based Attack Detection. IEEE Access, 7. pp. 91992-92008.

Published Version
Available under License Creative Commons Attribution.

Download (14MB) | Preview


Accurate detection of network-based attacks is crucial to prevent security breaches of information systems. The recent application of deep learning approaches for network intrusion detection has shown promising. However, the challenges remain on how to deal with imbalance data and small samples as well as reducing false alarm rate (FAR). To address these issues, this work has proposed a multiple-layer representation learning model for accurate end-to-end network intrusion detection by combining deep convolutional neural networks (CNN) with gcForest. The contributions of this work lie in 1) a new data encoding scheme based on P-Zigzag to encode network traffic data into two-dimensional gray-scale images for representation learning without loss of original information; 2) The combination of gcForest and CNN allows accurate detection on imbalanced data and small scale data with fewer hyperparamters comparing to most existing deep learning models, which increase computational efficiency. The proposed approach is based on a multiple-layer approach consisting of a coarse layer and a fine layer, in which the coarse layer with the improved CNN model (GoogLeNetNP) focuses on identification of N abnormal classes and a normal class. While in the fine layer, an improved model based on gcForest (caXGBoost) further classifies the abnormal classes into N-1 subclasses. This ensures fine-grained detection of various attacks. The proposed framework has been compared with the existing deep learning models using three real datasets (a new dataset NBC, a combination of UNSW-NB15 and CICIDS2017 consisting of 101 classes). The experimental results show that our proposed method outperforms other single deep learning methods (i.e., AlexNet, VGG19, GoogleNet, InceptionV3, ResNet18) in terms of accuracy, detection rate, and FAR, which demonstrates its effectiveness in detecting fine-grained attacks and handling imbalanced datasets with high-precision and low FAR.

Impact and Reach


Activity Overview
6 month trend
6 month trend

Additional statistics for this dataset are available via IRStats2.


Actions (login required)

View Item View Item