K-Means Hybrid Generative Adversarial Network for Improved Intrusion Detection Based on the MITRE ATT&CK Framework

Abstract

Intrusion Detection Systems (IDS) play a crucial role in protecting network security against the increasing number of attacks in the digital age. Graph Convolutional Network (GCN) models are currently considered a prominent approach in developing IDS due to their ability to exploit the graph structure of network data. However, the performance of GCN models heavily relies on the quality of input data during the training process. Popular datasets such as CICIDS2017, CSE-CIC-IDS2018, CICDDOS2019, and UNSW-NB15 often face issues of severe class imbalance and non-standard labeling, which reduce the effectiveness and reliability of IDS models. To address this issue, we propose a method called K-Means Hybrid Generative Adversarial Network (KHGAN). This method generates a new dataset based on the prominent features of all four aforementioned dataset while transforming labels according to the MITRE ATT&CK framework to improve accuracy, detection capability and standardization for GCN-based IDS models. KHGAN combines the K-Means algorithm for clustering and data compression with HybridGAN is designed using the Generator to creates attack data, while the Discriminator evaluates it using four classical IDS models: Multi-Layer Perceptron (MLP), Support Vector Machine (SVM), Random Forest (RF). Experimental results show that retraining the GCN model with the new dataset generated by KHGAN achieves superior performance, with 97.78% Accuracy, 14.36% higher Precision and 3.29% higher F1-Score compared to the GCN model trained on the CICIDS2017 dataset.