Network Intrusion Detection Model Using TabNet

Abstract

Cyber-attacks are increasing worldwide in their complexity, coverage, and damaging impacts. Every victim or target of cyber-attacks must strengthen their defense, mitigation, and recovery mechanism to be immune from future cyber-attacks. One such mechanism is an intrusion detection system. An intrusion detection system is a software or firmware system that monitors intrusion activities in the network or host devices. To defend well from cyber-attacks, an intrusion detection system must be efficient in its detection performance, processing speed, and response time. And also, an intrusion detection system must balance interpretability with high detection performance to be trusted with its detection result and to be deployed in real-world critical application areas. But existing intrusion detection systems especially network-based intrusion detection systems that are implemented using machine learning and deep learning techniques are suffered from some challenges such as low detection performance, complex and opaque detection models, high model training, and test time. Therefore, this research study developed high detection performance and interpretable network intrusion model using TabNet deep neural network and sequential attention encoder model. The model was trained and tested using a recent, more realistic, and representative CICIDS2017 dataset. TabNet encoder's performance to transform the input data into a useful representation of features and its ability to choose salient features sequentially in each step resulted in a high-performance and locally as well as globally interpretable network intrusion detection model. Performance evaluation of the developed model shows a 0.00049 False Positive Rate value and 99.98% of accuracy value on the balanced dataset experiment. A comparative study with state-of-the-art XGBoost model and Autoencoder models on detection performance, model interpretability, scalability, and robustness criteria also shows a promising result of the proposed model.