Timely response of Network Intrusion Detection Systems (NIDS) is constrained by the flow generation process which requires accumulation of network packets. This paper introduces Multivariate Time Series (MTS) early detection into NIDS to identify malicious flows prior to their arrival at target systems. With this in mind, we first propose a novel feature extractor, Time Series Network Flow Meter (TS-NFM), that represents network flow as MTS with explainable features, and a new benchmark dataset is created using TS-NFM and the meta-data of CICIDS2017, called SCVIC-TS-2022. Additionally, a new deep learning-based early detection model called Multi-Domain Transformer (MDT) is proposed, which incorporates the frequency domain into Transformer. This work further proposes a Multi-Domain Multi-Head Attention (MD-MHA) mechanism to improve the ability of MDT to extract better features. Based on the experimental results, the proposed methodology improves the earliness of the conventional NIDS (i.e., percentage of packets that are used for classification) by 5x10^4 times and duration-based earliness (i.e., percentage of duration of the classified packets of a flow) by a factor of 60, resulting in a 84.1% macro F1 score (31% higher than Transformer) on SCVIC-TS-2022. Additionally, the proposed MDT outperforms the state-of-the-art early detection methods by 5% and 6% on ECG and Wafer datasets, respectively.

翻译：网络入侵检测系统的及时响应受到流生成过程的限制，该过程需要积累网络数据包。本文将多元时间序列早期检测引入网络入侵检测系统，以在恶意流到达目标系统前进行识别。为此，我们首先提出一种新颖的特征提取器——时间序列网络流计量器，将网络流表示为具有可解释特征的多元时间序列，并利用时间序列网络流计量器和CICIDS2017元数据创建了新的基准数据集SCVIC-TS-2022。此外，提出了一种名为多域变换器的深度学习早期检测模型，该模型将频域引入变换器。本文进一步提出了多域多头注意力机制，以增强多域变换器提取更优特征的能力。实验结果表明，所提方法将传统网络入侵检测系统的早期性（即用于分类的数据包百分比）提高了5×10^4倍，基于持续时间的早期性（即流中被分类数据包时长的百分比）提高了60倍，在SCVIC-TS-2022数据集上实现了84.1%的宏F1分数（比变换器高31%）。同时，所提出的多域变换器在心电图和晶圆数据集上分别比现有最先进的早期检测方法性能高出5%和6%。