The Industrial Internet of Things(IIoT)is increasingly vulnerable to sophisticated cyber threats,particularly zero-day attacks that exploit unknown vulnerabilities and evade traditional security measures.To address th...The Industrial Internet of Things(IIoT)is increasingly vulnerable to sophisticated cyber threats,particularly zero-day attacks that exploit unknown vulnerabilities and evade traditional security measures.To address this critical challenge,this paper proposes a dynamic defense framework named Zero-day-aware Stackelberg Game-based Multi-Agent Distributed Deep Deterministic Policy Gradient(ZSG-MAD3PG).The framework integrates Stackelberg game modeling with the Multi-Agent Distributed Deep Deterministic Policy Gradient(MAD3PG)algorithm and incorporates defensive deception(DD)strategies to achieve adaptive and efficient protection.While conventional methods typically incur considerable resource overhead and exhibit higher latency due to static or rigid defensive mechanisms,the proposed ZSG-MAD3PG framework mitigates these limitations through multi-stage game modeling and adaptive learning,enabling more efficient resource utilization and faster response times.The Stackelberg-based architecture allows defenders to dynamically optimize packet sampling strategies,while attackers adjust their tactics to reach rapid equilibrium.Furthermore,dynamic deception techniques reduce the time required for the concealment of attacks and the overall system burden.A lightweight behavioral fingerprinting detection mechanism further enhances real-time zero-day attack identification within industrial device clusters.ZSG-MAD3PG demonstrates higher true positive rates(TPR)and lower false alarm rates(FAR)compared to existing methods,while also achieving improved latency,resource efficiency,and stealth adaptability in IIoT zero-day defense scenarios.展开更多
This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on...This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.展开更多
Smart grid systems are advancing electrical services,making them more compatible with Internet of Things(IoT)technologies.The deployment of smart grids is facing many difficulties,requiring immediate solutions to enha...Smart grid systems are advancing electrical services,making them more compatible with Internet of Things(IoT)technologies.The deployment of smart grids is facing many difficulties,requiring immediate solutions to enhance their practicality.Data privacy and security are widely discussed,and many solutions are proposed in this area.Energy theft attacks by greedy customers are another difficulty demanding immediate solutions to decrease the economic losses caused by these attacks.The tremendous amount of data generated in smart grid systems is also considered a struggle in these systems,which is commonly solved via fog computing.This work proposes an energytheft detection method for smart grid systems employed in a fog-based network infrastructure.This work also proposes and analyzes Zero-day energy theft attack detection through a multi-layered approach.The detection process occurs at fog nodes via five machine-learning classification models.The performance of the classifiers is measured,validated,and reported for all models at fog nodes,as well as the required training and testing time.Finally,the measured results are compared to when the detection process occurs at a central processing unit(cloud server)to investigate and compare the performance metrics’goodness.The results show comparable accuracy,precision,recall,and F1-measure performance.Meanwhile,the measured execution time has decreased significantly in the case of the fog-based network infrastructure.The fog-based model achieved an accuracy and recall of 98%,F1 score of 99%,and reduced detection time up to around 85%compared to the cloud-based approach.展开更多
The exponential growth of the Internet of Things(IoT)has introduced significant security challenges,with zero-day attacks emerging as one of the most critical and challenging threats.Traditional Machine Learning(ML)an...The exponential growth of the Internet of Things(IoT)has introduced significant security challenges,with zero-day attacks emerging as one of the most critical and challenging threats.Traditional Machine Learning(ML)and Deep Learning(DL)techniques have demonstrated promising early detection capabilities.However,their effectiveness is limited when handling the vast volumes of IoT-generated data due to scalability constraints,high computational costs,and the costly time-intensive process of data labeling.To address these challenges,this study proposes a Federated Learning(FL)framework that leverages collaborative and hybrid supervised learning to enhance cyber threat detection in IoT networks.By employing Deep Neural Networks(DNNs)and decentralized model training,the approach reduces computational complexity while improving detection accuracy.The proposed model demonstrates robust performance,achieving accuracies of 94.34%,99.95%,and 87.94%on the publicly available kitsune,Bot-IoT,and UNSW-NB15 datasets,respectively.Furthermore,its ability to detect zero-day attacks is validated through evaluations on two additional benchmark datasets,TON-IoT and IoT-23,using a Deep Federated Learning(DFL)framework,underscoring the generalization and effectiveness of the model in heterogeneous and decentralized IoT environments.Experimental results demonstrate superior performance over existing methods,establishing the proposed framework as an efficient and scalable solution for IoT security.展开更多
Zero-day attacks use unknown vulnerabilities that prevent being identified by cybersecurity detection tools.This study indicates that zero-day attacks have a significant impact on computer security.A conventional sign...Zero-day attacks use unknown vulnerabilities that prevent being identified by cybersecurity detection tools.This study indicates that zero-day attacks have a significant impact on computer security.A conventional signature-based detection algorithm is not efficient at recognizing zero-day attacks,as the signatures of zero-day attacks are usually not previously accessible.A machine learning(ML)-based detection algorithm is proficient in capturing statistical features of attacks and,therefore,optimistic for zero-day attack detection.ML and deep learning(DL)are employed for designing intrusion detection systems.The improvement of absolute varieties of novel cyberattacks poses significant challenges for IDS solutions that are dependent on datasets of prior signatures of the attacks.This manuscript presents the Zero-day attack detection employing an equilibrium optimizer with a deep learning(ZDAD-EODL)method to ensure cybersecurity.The ZDAD-EODL technique employs meta-heuristic feature subset selection using an optimum DL-based classification technique for zero-day attacks.Initially,the min-max scalar is utilized for normalizing the input data.For feature selection(FS),the ZDAD-EODL method utilizes the equilibrium optimizer(EO)model to choose feature sub-sets.In addition,the ZDAD-EODL technique employs the bi-directional gated recurrent unit(BiGRU)technique for the classification and identification of zero-day attacks.Finally,the detection performance of the BiGRU technique is further enhanced through the implementation of the subtraction average-based optimizer(SABO)-based tuning process.The performance of the ZDAD-EODL approach is investigated on the benchmark dataset.The comparison study of the ZDAD-EODL approach portrayed a superior accuracy value of 98.47%over existing techniques.展开更多
To address the problem that existing studies lack analysis of the relationship between attack-defense game behaviors and situation evolution from the game perspective after constructing an attack-defense model,this pa...To address the problem that existing studies lack analysis of the relationship between attack-defense game behaviors and situation evolution from the game perspective after constructing an attack-defense model,this paper proposes a network attack-defense game model(ADGM).Firstly,based on the assumption of incomplete information between the two sides of the game,the ADGM model is established,and methods of payoff quantification,equilibrium solution,and determination of strategy confrontation results are presented.Then,drawing on infectious disease dynamics,the network attack-defense situation is defined based on the density of nodes in various security states,and the transition paths of network node security states are analyzed.Finally,the network zero-day virus attack-defense behaviors are analyzed,and comparative experiments on the attack-defense evolution trends under the scenarios of different strategy combinations,interference methods,and initial numbers are conducted using the NetLogo simulation tool.The experimental results indicate that this model can effectively analyze the evolution of the macro-level network attack-defense situation from the micro-level attack-defense behaviors.For instance,in the strategy selection experiment,when the attack success rate decreases from 0.49 to 0.29,the network destruction rate drops by 11.3%,in the active defense experiment,when the interference coefficient is reduced from 1 to 0.7,the network destruction rate decreases by 7%,and in the initial node number experiment,when the number of initially infected nodes increases from 10 to 30,the network destruction rate rises by 3%.展开更多
The continuous development of cyberattacks is threatening digital transformation endeavors worldwide and leadsto wide losses for various organizations. These dangers have proven that signature-based approaches are ins...The continuous development of cyberattacks is threatening digital transformation endeavors worldwide and leadsto wide losses for various organizations. These dangers have proven that signature-based approaches are insufficientto prevent emerging and polymorphic attacks. Therefore, this paper is proposing a Robust Malicious ExecutableDetection (RMED) using Host-based Machine Learning Classifier to discover malicious Portable Executable (PE)files in hosts using Windows operating systems through collecting PE headers and applying machine learningmechanisms to detect unknown infected files. The authors have collected a novel reliable dataset containing 116,031benign files and 179,071 malware samples from diverse sources to ensure the efficiency of RMED approach.The most effective PE headers that can highly differentiate between benign and malware files were selected totrain the model on 15 PE features to speed up the classification process and achieve real-time detection formalicious executables. The evaluation results showed that RMED succeeded in shrinking the classification timeto 91 milliseconds for each file while reaching an accuracy of 98.42% with a false positive rate equal to 1.58. Inconclusion, this paper contributes to the field of cybersecurity by presenting a comprehensive framework thatleverages Artificial Intelligence (AI) methods to proactively detect and prevent cyber-attacks.展开更多
Android devices are popularly available in the commercial market at different price levels for various levels of customers.The Android stack is more vulnerable compared to other platforms because of its open-source na...Android devices are popularly available in the commercial market at different price levels for various levels of customers.The Android stack is more vulnerable compared to other platforms because of its open-source nature.There are many android malware detection techniques available to exploit the source code andfind associated components during execution time.To obtain a better result we create a hybrid technique merging static and dynamic processes.In this paper,in thefirst part,we have proposed a technique to check for correlation between features and classify using a supervised learning approach to avoid Mul-ticollinearity problem is one of the drawbacks in the existing system.In the proposed work,a novel PCA(Principal Component Analysis)based feature reduction technique is implemented with conditional dependency features by gathering the functionalities of the application which adds novelty for the given approach.The Android Sensitive Permission is one major key point to be considered while detecting malware.We select vulnerable columns based on features like sensitive permissions,application program interface calls,services requested through the kernel,and the relationship between the variables henceforth build the model using machine learning classifiers and identify whether the given application is malicious or benign.Thefinal goal of this paper is to check benchmarking datasets collected from various repositories like virus share,Github,and the Canadian Institute of cyber security,compare with models ensuring zero-day exploits can be monitored and detected with better accuracy rate.展开更多
The network security analyzers use intrusion detection systems(IDSes)to distinguish malicious traffic from benign ones.The deep learning-based(DL-based)IDSes are proposed to auto-extract high-level features and elimin...The network security analyzers use intrusion detection systems(IDSes)to distinguish malicious traffic from benign ones.The deep learning-based(DL-based)IDSes are proposed to auto-extract high-level features and eliminate the time-consuming and costly signature extraction process.However,this new generation of IDSes still needs to overcome a number of challenges to be employed in practical environments.One of the main issues of an applicable IDS is facing traffic concept drift,which manifests itself as new(i.e.,zero-day)attacks,in addition to the changing behavior of benign users/applications.Furthermore,a practical DL-based IDS needs to be conformed to a distributed(i.e.,multi-sensor)architecture in order to yield more accurate detections,create a collective attack knowledge based on the observations of different sensors,and also handle big data challenges for supporting high throughput networks.This paper proposes a novel multi-agent network intrusion detection framework to address the above shortcomings,considering a more practical scenario(i.e.,online adaptable IDSes).This framework employs continual deep anomaly detectors for adapting each agent to the changing attack/benign patterns in its local traffic.In addition,a federated learning approach is proposed for sharing and exchanging local knowledge between different agents.Furthermore,the proposed framework implements sequential packet labeling for each flow,which provides an attack probability score for the flow by gradually observing each flow packet and updating its estimation.We evaluate the proposed framework by employing different deep models(including CNN-based and LSTM-based)over the CICIDS2017 and CSE-CIC-IDS2018 datasets.Through extensive evaluations and experiments,we show that the proposed distributed framework is well adapted to the traffic concept drift.More precisely,our results indicate that the CNNbased models are well suited for continually adapting to the traffic concept drift(i.e.,achieving an average detection rate of above 95%while needing just 128 new flows for the updating phase),and the LSTM-based models are a good candidate for sequential packet labeling in practical online IDSes(i.e.,detecting intrusions by just observing their first 15 packets).展开更多
基金funded in part by the Humanities and Social Sciences Planning Foundation of Ministry of Education of China under Grant No.24YJAZH123National Undergraduate Innovation and Entrepreneurship Training Program of China under Grant No.202510347069the Huzhou Science and Technology Planning Foundation under Grant No.2023GZ04.
文摘The Industrial Internet of Things(IIoT)is increasingly vulnerable to sophisticated cyber threats,particularly zero-day attacks that exploit unknown vulnerabilities and evade traditional security measures.To address this critical challenge,this paper proposes a dynamic defense framework named Zero-day-aware Stackelberg Game-based Multi-Agent Distributed Deep Deterministic Policy Gradient(ZSG-MAD3PG).The framework integrates Stackelberg game modeling with the Multi-Agent Distributed Deep Deterministic Policy Gradient(MAD3PG)algorithm and incorporates defensive deception(DD)strategies to achieve adaptive and efficient protection.While conventional methods typically incur considerable resource overhead and exhibit higher latency due to static or rigid defensive mechanisms,the proposed ZSG-MAD3PG framework mitigates these limitations through multi-stage game modeling and adaptive learning,enabling more efficient resource utilization and faster response times.The Stackelberg-based architecture allows defenders to dynamically optimize packet sampling strategies,while attackers adjust their tactics to reach rapid equilibrium.Furthermore,dynamic deception techniques reduce the time required for the concealment of attacks and the overall system burden.A lightweight behavioral fingerprinting detection mechanism further enhances real-time zero-day attack identification within industrial device clusters.ZSG-MAD3PG demonstrates higher true positive rates(TPR)and lower false alarm rates(FAR)compared to existing methods,while also achieving improved latency,resource efficiency,and stealth adaptability in IIoT zero-day defense scenarios.
基金This project is funded by King Abdulaziz City for Science and Technology(KACST)under the National Science,Technology,and Innovation Plan(Project Number 11-INF1657-04).
文摘This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.
文摘Smart grid systems are advancing electrical services,making them more compatible with Internet of Things(IoT)technologies.The deployment of smart grids is facing many difficulties,requiring immediate solutions to enhance their practicality.Data privacy and security are widely discussed,and many solutions are proposed in this area.Energy theft attacks by greedy customers are another difficulty demanding immediate solutions to decrease the economic losses caused by these attacks.The tremendous amount of data generated in smart grid systems is also considered a struggle in these systems,which is commonly solved via fog computing.This work proposes an energytheft detection method for smart grid systems employed in a fog-based network infrastructure.This work also proposes and analyzes Zero-day energy theft attack detection through a multi-layered approach.The detection process occurs at fog nodes via five machine-learning classification models.The performance of the classifiers is measured,validated,and reported for all models at fog nodes,as well as the required training and testing time.Finally,the measured results are compared to when the detection process occurs at a central processing unit(cloud server)to investigate and compare the performance metrics’goodness.The results show comparable accuracy,precision,recall,and F1-measure performance.Meanwhile,the measured execution time has decreased significantly in the case of the fog-based network infrastructure.The fog-based model achieved an accuracy and recall of 98%,F1 score of 99%,and reduced detection time up to around 85%compared to the cloud-based approach.
基金supported by Princess Nourah bint Abdulrahman University Researchers Supporting Project Number(PNURSP2025R97)Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia.
文摘The exponential growth of the Internet of Things(IoT)has introduced significant security challenges,with zero-day attacks emerging as one of the most critical and challenging threats.Traditional Machine Learning(ML)and Deep Learning(DL)techniques have demonstrated promising early detection capabilities.However,their effectiveness is limited when handling the vast volumes of IoT-generated data due to scalability constraints,high computational costs,and the costly time-intensive process of data labeling.To address these challenges,this study proposes a Federated Learning(FL)framework that leverages collaborative and hybrid supervised learning to enhance cyber threat detection in IoT networks.By employing Deep Neural Networks(DNNs)and decentralized model training,the approach reduces computational complexity while improving detection accuracy.The proposed model demonstrates robust performance,achieving accuracies of 94.34%,99.95%,and 87.94%on the publicly available kitsune,Bot-IoT,and UNSW-NB15 datasets,respectively.Furthermore,its ability to detect zero-day attacks is validated through evaluations on two additional benchmark datasets,TON-IoT and IoT-23,using a Deep Federated Learning(DFL)framework,underscoring the generalization and effectiveness of the model in heterogeneous and decentralized IoT environments.Experimental results demonstrate superior performance over existing methods,establishing the proposed framework as an efficient and scalable solution for IoT security.
基金Deanship of Research and Graduate Studies at King Khalid University for funding this work through Large Research Project under grant number RGP2/286/46Princess Nourah bint Abdulrahman University Researchers Supporting Project number(PNURSP2025R732),Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia+2 种基金Ongoing Research Funding program(ORFFT-2025-100-7),King Saud University,Riyadh,Saudi Arabia for financial supportthe Deanship of Scientific Research at Northern Border University,Arar,Saudi Arabia,for funding this research work through the project number“NBU-FFR-2025-2913-07”the Deanship of Graduate Studies and Scientific Research at the University of Bisha for supporting this work through the Fast-Track Research Support Program。
文摘Zero-day attacks use unknown vulnerabilities that prevent being identified by cybersecurity detection tools.This study indicates that zero-day attacks have a significant impact on computer security.A conventional signature-based detection algorithm is not efficient at recognizing zero-day attacks,as the signatures of zero-day attacks are usually not previously accessible.A machine learning(ML)-based detection algorithm is proficient in capturing statistical features of attacks and,therefore,optimistic for zero-day attack detection.ML and deep learning(DL)are employed for designing intrusion detection systems.The improvement of absolute varieties of novel cyberattacks poses significant challenges for IDS solutions that are dependent on datasets of prior signatures of the attacks.This manuscript presents the Zero-day attack detection employing an equilibrium optimizer with a deep learning(ZDAD-EODL)method to ensure cybersecurity.The ZDAD-EODL technique employs meta-heuristic feature subset selection using an optimum DL-based classification technique for zero-day attacks.Initially,the min-max scalar is utilized for normalizing the input data.For feature selection(FS),the ZDAD-EODL method utilizes the equilibrium optimizer(EO)model to choose feature sub-sets.In addition,the ZDAD-EODL technique employs the bi-directional gated recurrent unit(BiGRU)technique for the classification and identification of zero-day attacks.Finally,the detection performance of the BiGRU technique is further enhanced through the implementation of the subtraction average-based optimizer(SABO)-based tuning process.The performance of the ZDAD-EODL approach is investigated on the benchmark dataset.The comparison study of the ZDAD-EODL approach portrayed a superior accuracy value of 98.47%over existing techniques.
基金supported by the Major Science and Technology Programs in Henan Province(241100210100)the National Natural Science Foundation of China(62072416)+1 种基金the Key Research and Development Special Project of Henan Province(221111210500)the Project of Science and Technology in Henan Province(242102211068,232102210078).
文摘To address the problem that existing studies lack analysis of the relationship between attack-defense game behaviors and situation evolution from the game perspective after constructing an attack-defense model,this paper proposes a network attack-defense game model(ADGM).Firstly,based on the assumption of incomplete information between the two sides of the game,the ADGM model is established,and methods of payoff quantification,equilibrium solution,and determination of strategy confrontation results are presented.Then,drawing on infectious disease dynamics,the network attack-defense situation is defined based on the density of nodes in various security states,and the transition paths of network node security states are analyzed.Finally,the network zero-day virus attack-defense behaviors are analyzed,and comparative experiments on the attack-defense evolution trends under the scenarios of different strategy combinations,interference methods,and initial numbers are conducted using the NetLogo simulation tool.The experimental results indicate that this model can effectively analyze the evolution of the macro-level network attack-defense situation from the micro-level attack-defense behaviors.For instance,in the strategy selection experiment,when the attack success rate decreases from 0.49 to 0.29,the network destruction rate drops by 11.3%,in the active defense experiment,when the interference coefficient is reduced from 1 to 0.7,the network destruction rate decreases by 7%,and in the initial node number experiment,when the number of initially infected nodes increases from 10 to 30,the network destruction rate rises by 3%.
文摘The continuous development of cyberattacks is threatening digital transformation endeavors worldwide and leadsto wide losses for various organizations. These dangers have proven that signature-based approaches are insufficientto prevent emerging and polymorphic attacks. Therefore, this paper is proposing a Robust Malicious ExecutableDetection (RMED) using Host-based Machine Learning Classifier to discover malicious Portable Executable (PE)files in hosts using Windows operating systems through collecting PE headers and applying machine learningmechanisms to detect unknown infected files. The authors have collected a novel reliable dataset containing 116,031benign files and 179,071 malware samples from diverse sources to ensure the efficiency of RMED approach.The most effective PE headers that can highly differentiate between benign and malware files were selected totrain the model on 15 PE features to speed up the classification process and achieve real-time detection formalicious executables. The evaluation results showed that RMED succeeded in shrinking the classification timeto 91 milliseconds for each file while reaching an accuracy of 98.42% with a false positive rate equal to 1.58. Inconclusion, this paper contributes to the field of cybersecurity by presenting a comprehensive framework thatleverages Artificial Intelligence (AI) methods to proactively detect and prevent cyber-attacks.
文摘Android devices are popularly available in the commercial market at different price levels for various levels of customers.The Android stack is more vulnerable compared to other platforms because of its open-source nature.There are many android malware detection techniques available to exploit the source code andfind associated components during execution time.To obtain a better result we create a hybrid technique merging static and dynamic processes.In this paper,in thefirst part,we have proposed a technique to check for correlation between features and classify using a supervised learning approach to avoid Mul-ticollinearity problem is one of the drawbacks in the existing system.In the proposed work,a novel PCA(Principal Component Analysis)based feature reduction technique is implemented with conditional dependency features by gathering the functionalities of the application which adds novelty for the given approach.The Android Sensitive Permission is one major key point to be considered while detecting malware.We select vulnerable columns based on features like sensitive permissions,application program interface calls,services requested through the kernel,and the relationship between the variables henceforth build the model using machine learning classifiers and identify whether the given application is malicious or benign.Thefinal goal of this paper is to check benchmarking datasets collected from various repositories like virus share,Github,and the Canadian Institute of cyber security,compare with models ensuring zero-day exploits can be monitored and detected with better accuracy rate.
文摘The network security analyzers use intrusion detection systems(IDSes)to distinguish malicious traffic from benign ones.The deep learning-based(DL-based)IDSes are proposed to auto-extract high-level features and eliminate the time-consuming and costly signature extraction process.However,this new generation of IDSes still needs to overcome a number of challenges to be employed in practical environments.One of the main issues of an applicable IDS is facing traffic concept drift,which manifests itself as new(i.e.,zero-day)attacks,in addition to the changing behavior of benign users/applications.Furthermore,a practical DL-based IDS needs to be conformed to a distributed(i.e.,multi-sensor)architecture in order to yield more accurate detections,create a collective attack knowledge based on the observations of different sensors,and also handle big data challenges for supporting high throughput networks.This paper proposes a novel multi-agent network intrusion detection framework to address the above shortcomings,considering a more practical scenario(i.e.,online adaptable IDSes).This framework employs continual deep anomaly detectors for adapting each agent to the changing attack/benign patterns in its local traffic.In addition,a federated learning approach is proposed for sharing and exchanging local knowledge between different agents.Furthermore,the proposed framework implements sequential packet labeling for each flow,which provides an attack probability score for the flow by gradually observing each flow packet and updating its estimation.We evaluate the proposed framework by employing different deep models(including CNN-based and LSTM-based)over the CICIDS2017 and CSE-CIC-IDS2018 datasets.Through extensive evaluations and experiments,we show that the proposed distributed framework is well adapted to the traffic concept drift.More precisely,our results indicate that the CNNbased models are well suited for continually adapting to the traffic concept drift(i.e.,achieving an average detection rate of above 95%while needing just 128 new flows for the updating phase),and the LSTM-based models are a good candidate for sequential packet labeling in practical online IDSes(i.e.,detecting intrusions by just observing their first 15 packets).
