Hunt for Unseen Intrusion: Multi-Head Self-Attention Neural Detector

A network intrusion detection (NID) system plays a critical role in cybersecurity. However, the existing machine learning-based NID research has a vital issue that their experimental settings do not reflect real-world situations where unknown attacks are constantly emerging. In particular, their train and test sets are from a single data set, which inevitably overestimates the detection power since all test attack types are known in training, and test cases will have similar characteristics to the training data. This paper introduces a new strategy to constitute test data with updated traffic with attack types not included in training data. In the proposed setting, the prediction accuracy of the existing detectors is dropped by about 20% compared to what has been reported. Also, in- depth analysis of detection performance by attack types has revealed that the existing models have strength at certain attack types but struggle to detect the other attack types such as DoS, DDoS, web attack, and port scan. To overcome the issues, we propose a new neural detector, called MHSA, based on a multi-head self-attention mechanism whose architecture suits better to capture scattered pieces of evidence in network traffic. Our model improved the overall detection performance by 29% in false positive rate at the true positive rate of 0.9 and by 9% in AUC over the current state-of-the-art models, successfully detecting the attacks that are not well captured before. Furthermore, we show that our proposed MHSA model even outperforms the best ensemble detector constructed by joining the state-of-the-art classifiers.