Deteksi Intrusi Berbasis Log Data Menggunakan BERT Model
| No | 15 |
| Year | 2025 |
| Creators | Yoel Amadeo Pratomo; S.Kom., M.Kom., Ph.D. Tirana Noor Fatyanosa; S.Kom., M.Kom., Ph.D. Mahendra Data |
| URI | http://repository.ub.ac.id/id/eprint/255205 |
| Date | 2025-12-30 |
| Keywords | Intrusion Detection System, Log Data, BERT, SMOTE, Upsampling, Finetuning, NLP |
| Type | thesis |
Abstract
Information system security is a crucial aspect in maintaining the confidentiality, integrity, and availability of data in web-based services. One of the key approaches in this field is the Intrusion Detection System (IDS), which detects abnormal activities within a system. Web server access logs serve as an essential data source for IDS, recording every user request to the web service. However, log data is often massive, unstructured, and highly imbalanced between normal and attack activities, posing significant challenges for conventional detection models. This research aims to analyze the effectiveness of the Bidirectional Encoder Representations from Transformers (BERT) model in detecting intrusions based on log data and to compare its performance with classical machine learning models, namely Logistic Regression and Linear Support Vector Classification (SVC). The dataset used consists of labeled “normal” and “attack” web access logs obtained from Kaggle. Two main experimental pipelines were implemented: (1) a baseline pipeline utilizing BERT embeddings and dimensionality reduction through Manual Incremental PCA (IPCA) prior to linear model classification, and (2) a fine-tuning pipeline that retrains the BERT model to adapt to specific log data patterns. To handle data imbalance, Custom SMOTE was applied in the baseline approach, while text upsampling was applied in the fine-tuning stage. Experimental results show that the fine-tuned BERT model outperforms classical models, achieving higher macro F1-scores, particularly under attack-tonormal ratios of 1:10 and 1:20. The implementation of SMOTE and upsampling effectively improves the model’s sensitivity toward minority (attack) classes without significantly reducing precision. Furthermore, variations in hyperparameters—such as learning rate, batch size, and maximum sequence length—were found to influence the stability and generalization of model training. This study concludes that the BERT-based approach is effective in capturing the semantic context of web logs and enhances intrusion detection accuracy on imbalanced data. These findings contribute to the advancement of modern, NLPbased Intrusion Detection Systems capable of adapting to dynamic cybersecurity threats.