FS-IDS: A framework for intrusion detection based on few-shot learning

Due to the high dependency of traditional intrusion detection method on a fully-labeled large dataset, existing works can hardly be applied in real-world scenarios, especially facing zero-day attacks. In this paper we present a novel intrusion detection framework called “FS-IDS”, including flow data encoding method, feature fusion mechanism and architecture of intrusion detection system based on few-shot learning. We utilize task generator to split the dataset into separate tasks and train model in an episodic way, hoping model to learn general knowledge rather than those specific to a single class. The extraction module and distance metric module are responsible for learning and determining whether the traffic data are benign or not. We conduct three sets of experiments on “FS-IDS”, i.e., comparison study, ablation study and multiclass study. Comparison study firstly determines that the best measure metric for discrimination is Euclidean distance. Based on the optimal implementation, “FS-IDS” achieves comparable performance with existing works by using much fewer malicious samples. Ablation study sets two base models to explore how proposed encoding method and feature fusion mechanism improve detection capacity. Both the image representation and feature fusion achieve more than 2% improvement in accuracy and recall. Finally, to test whether “FS-IDS” can perform well under real-world scenario or not, we design network traffic containing various attacks to simulate complex malicious network environment. Experimental results show that “FS-IDS” maintains more than 90% detection accuracy and recall under the worst circumstances, which composes of various seen or unseen attacks with only a few malicious samples available.