This project aims to investigate, design and develop new model-driven methods for AI-based network intrusion detection systems. The emphasis is on designing an AI model that is able to verify and explain its safety decisions as well as being able to efficiently and effectively detect intrusions, thereby ensuring that the system is safe and can be trusted.
Unlike data-driven methods (e.g., machine learning), model-driven methods can embed expert knowledge into a model to characterize user behaviors (e.g., through formal logic [2]), with the purpose of identifying malicious activities with trust, interpretability and verifiability of the IDS decisions, in particular when deployed to real-world contexts. In other words, this project aims to advance the state-of-the-art in AI-powered IDSs by integrating expert knowledge in the models to achieve trust, interpretability and verifiability of decisions. This will increase the overall safety of protected users by making IDS systems more effective and reliable, and progress towards industry-wide deployment of AI-based solutions for intrusion detection.
Intrusion Detection Systems (IDSs) are commonly deployed in networks and hosts to identify malicious activities representing misuse of computer systems. The numbers and types of attacks have been constantly increasing, and detection based on manually-defined signature is no longer a viable option. Hence, AI-powered IDS solutions have been explored to keep up the arms race and scale to new threats, but they are not yet deployed at scale in companies; this is mostly because such AI-powered systems cannot be trusted and are not interpretable [1], and they suffer from a lot of false positives preventing their applicability in real-world scenarios. In particular, a major limitation is that most existing solutions for AI-powered IDSs are data-driven, where the relationships learned from the data are often artifacts or domain-agnostic, and thus harder to trust and interpret even for network administrators. This project will address this existing gap, to explore model-driven solutions for intrusion detection.