An Intrusion Detection System for Multi-Class Classification based on Deep Neural Networks Petros Toupas, Dimitra Chamou, Konstantinos M. Giannoutakis, Anastasios Drosou, Dimitrios Tzovaras Information Technologies Institute Center for Research & Technology-Hellas 6th km Charilaou-Thermi, 57001, Thessaloniki, Greece {ptoupas,dimicham,kgiannou,drosou,Dimitrios.Tzovaras}@iti.gr Abstract—Intrusion Detection Systems (IDSs) are considered as one of the fundamental elements in the network security of an organisation since they form the first line of defence against cyber threats, and they are responsible to effectively a potential intrusion in the network. Many IDS implementations use flow- based network traffic analysis to detect potential threats. Network security research is an ever-evolving field and IDSs in particular have been the focus of recent years with many innovative methods proposed and developed. In this paper, we propose a deep learning model, more specifically a neural network consisting of multiple stacked Fully-Connected layers, in order to implement a flow-based anomaly detection IDS for multi-class classification. We used the updated CICIDS2017 dataset for training and evaluation purposes. The experimental outcome using MLP for intrusion detection system, showed that the proposed model can achieve promising results on multi-class classification with respect to accuracy, recall (detection rate), and false positive rate (false alarm rate) on this specific dataset. Index Terms—Cybersecurity, Intrusion Detection System, Deep Neural Networks, CICIDS2017, Flow Feature-Based, Multi-Class Classification I. I NTRODUCTION During the past few years, the rising exposure of many organisations to sophisticated cyber-attacks have led to a rapid development of innovative IDSs. The development of IDSs concerns both the academic and the industrial community worldwide, due to the impact that each cyber attack has, as economic cost, reputational damage, and legal sequences. Therefore, it is a matter of great importance to secure networks from unauthorized access and protect the user communication and their data, [1], as well as to reveal new security issues that arise. A. Intrusion Detection System Intrusion Detection System (IDS) is an efficient security reinforcement tool for the detection and the protection of cyber-attacks in any network or host. The IDSs‘ responsibility is to detect suspicious behaviors and act appropriately to protect the network from the onset of attacks and reduce functionally and financial losses, [2]. In literature, IDSs can be categorized as, [3], either signature-based, [4], anomaly-based, [5], or a hybrid combi- nation of both. Signature-based intrusion detection systems (SIDS), also known as Rule-based or Misuse IDS, conducts ongoing mon- itoring of network traffic and seeks out sequences or patterns of inbound network traffic that matches an attack signature. An attack signature can be identified based on network packet headers, destination or source network addresses; sequences of data that correspond to known malware or other patterns, sequences of data or series of packets that are known to be associated with a particular attack. They work with high accuracy rates in identifying possible known invasions, by keeping error rates low. However, the system s database should be updated manually by the administrator and SIDS can detect only intrusions that exist in the system s database, excluding new attacks detection (zero-day-attack), as there is no relevant attack signature pattern in the system s database. The anomaly-based intrusion detection systems (AIDS), or behavior-based detection, analyzes the normal networks behavior, by monitoring network traffic to detect abnormal activity. AIDS have the ability to be trained with anomaly detection algorithms or to be self-trained with self-learning al- gorithms, so they can detect new types of intrusions. Compared to signature-based, anomaly-based shows a significant differ- ence in identifying novel attacks. Moreover, the configuration profile of each system can be customized, so it is difficult for the attackers to figure out which intrusion activities will be undetected, [6]. Hybrid Intrusion Detection System (HIDS) can combine the advantages of both signature-based and anomaly-based system and increase the detection of known intrusion attacks, while eliminating the error rates of unknown attacks. Most of the latest hybrid IDSs are based on machine and deep learning methods. Due to the advantages of the anomaly-based intrusion detection systems in the field of zero-day attacks, the proposed model develop an anomaly-based Intrusion Detection System which is based on deep learning. B. Flow feature-based Classification One of the main methods of intrusion detection is the net- work traffic analysis and the extraction of the desired statistical features in order to detect abnormal network traffic, in near- real time. Thus, traffic classification is a core component in