An identification strategy for unknown attack through the joint learning of space–time features

Abstract Deep learning (DL) can effectively extract the features of attack behaviours and identify unknown attack behaviours. However, the current DL-based methods separately learn spatial feature and temporal features and fail to consider the spatiotemporal correlation of cyber events. To make up for the gap, this paper proposes an identification strategy for unknown attack behaviours through the joint learning of spatiotemporal features. First, a double-layer long short-term memory (LSTM) was adopted to learn the spatial features of data packet and the temporal feature of the network flow, which makes the attack behaviour recognition less dependent on prior knowledge. Next, the temporal attention was constructed to suppress the noises in the spatial features of the data packet; the spatial attention was designed to reduce the temporal features of low-density information; the spatial attention was fused with the temporal attention to establish the spatiotemporal dependence of cyber-attack behaviours and distinguish the importance of spatiotemporal features. Finally, our identification strategy was experimentally compared with the identification models solely based on spatial features or temporal features. The comparison shows that our strategy outperformed the contrastive models by 2% in recognition accuracy. Thus, the fusion between spatial and temporal features can effectively promote the identification accuracy of unknown attack behaviours.