Intrusion Detection Model Updates Through GAN Data Augmentation and Transfer Learning

Current machine learning techniques for networkbased intrusion detection cannot handle the evolving behavior of network traffic, requiring periodic model updates to be conducted. Besides requiring huge amounts of labeled network traffic to be provided, traditional model updates demand expressive computational costs. This paper proposes a new feasible model update procedure implemented in two steps. First, we use a Generative Adversarial Network (GAN) to augment the sampled network traffic. Next, we use the augmented dataset to perform model updates through a transfer learning-based approach. Thus, our model can decrease both the number of instances that must be labeled and the computational costs during model updates. Our experiments on a one-year dataset with over 8 TB of data show that literature techniques cannot handle changes in network traffic behavior. In contrast, the proposed model without updates improved true-positive rates by up to 25.6%. With monthly model updates, it requires only 14% of computational costs and 2.3% of instances to be provided.