Thutmose - Investigation of Machine Learning-Based Intrusion Detection Systems
Mark Anania, George Corbin, Matthew Kovacs, Kevin Nelson, Jeremy Tobias
The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Department of Defense, Washington Headquarters Services,
... irectorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. to study learning systems researched and developed for cyber defense of network resources. Specifically, intrusion detection systems that were built with machine learning operations were studied to understand: the research behind the approach, the data they were designed to protect, the features processed, the algorithms used and the degree to which they were resistant and resilient to experimentally induced adversarial data drift. The results of this work provide deep insight into the strengths and weaknesses of the studied learning systems while operating within an adversarial environment. This insight will enable the design and development of future machine learning-based intrusion detection systems (ML-IDS) to be more hardened and effective in defending our nation's networked resources. The experimentation results will aid in selecting or designing stronger algorithms, choosing better features, and more effectively monitoring resources. The toolset produced to run the experiments may be re-used and enhanced to make designing and testing of these future defenses faster and more effective.