基于深度循环神经网络和改进SMOTE算法的组合式入侵检测模型

doi:10.11959/j.issn.2096-109x.2018056

摘要/Abstract

摘要：

已有入侵检测模型普遍只针对网络入侵行为的静态特征进行分析检测，造成检测率低及误报率高等缺陷，且无法有效应用低频攻击。为此提出一种新的基于深度循环神经网络（DRNN）和区域自适应合成过采样算法（RA-SMOTE）的组合式入侵检测模型（DRRS）。首先，RA-SMOTE 对数据集中低频攻击样本进行自适应区域划分，实现差别样本增量，从数据层面提升低频攻击样本数量；其次，利用 DRNN 特有的层间反馈单元，完成多阶段分类特征的时序积累学习，同时多隐层网络结构实现对原始数据分布的最优非线性拟合；最后，使用训练好的DRRS模型完成入侵检测。实验结果表明，相比已有入侵检测模型，DRRS在改善整体检测效果的同时显著提高了低频攻击检测率，且对未知新型攻击具有一定检出率，适用于实际网络环境。

关键词: 网络安全, 深度学习, 入侵检测, 循环神经网络, 过采样算法

Abstract:

Existing intrusion detection models generally only analyze the static characteristics of network intrusion actions,resulting in low detection rate and high false positive rate,and cannot effectively detect low-frequency attacks.Therefore,a novel combinatorial intrusion detection model (DRRS) based on deep recurrent neural network (DRNN) and region adaptive synthetic minority oversampling technique algorithm (RA-SMOTE) was proposed.Firstly,RA-SMOTE divided the low frequency attack samples into different regions adaptively and improved the number of low-frequency attack samples with different methods from the data level.Secondly,the multi-stage classification features were learned by using the level feedback units in DRNN,at the same time,the multi-layer network structure achieved the optimal non-linear fitting of the original data distribution.Finally,the intrusion detection was completed by trained DRRS.The empirical results show that compared with the traditional intrusion detection models,DRRS significantly improves the detection rate of low-frequency attacks and overall detection efficiency.Besides,DRRS has a certain detection rate for unknown new attacks.So DRRS model is effective and suitable for the actual network environment.

Key words: network security, deep learning, intrusion detection, DRNN, oversampling algorithm

中图分类号:

TP393.08

燕昺昊,韩国栋. 基于深度循环神经网络和改进SMOTE算法的组合式入侵检测模型[J]. 网络与信息安全学报, 2018, 4(7): 48-59.

Binghao YAN,Guodong HAN. Combinatorial intrusion detection model based on deep recurrent neural network and improved SMOTE algorithm[J]. Chinese Journal of Network and Information Security, 2018, 4(7): 48-59.

图/表 15

图1

图2

图3

图4

表1

表2

表3

图5

图7

图6

图8

表4

图9

图10

表5

参考文献 18

[1]	国家互联网应急中心. 2017年7月我国互联网安全威胁报告[R]. 2017.
	National Internet Emergency Center. The report of China’s Internet security threat in July[R]. 2017.
[2]	LEI Y , LIU J , YIN H . Intrusion detection techniques based on improved intuitionist fuzzy neural networks[J]. Applied Mechanics＆ Materials, 2014,713-715(1): 2507-2510.
[3]	THASEEN I S , KUMAR C A . Intrusion detection model using fusion of chi-square feature selection and multi class SVM[J]. Journal of King Saud University-Computer and Information Sciences, 2016,29(4): 462-472.
[4]	DASTANPOUR A , IBRAHIM S , MASHINCHI R . Comparison of genetic algorithm optimization on artificial neural network and support vector machine in intrusion detection system[C]// IEEE International Conference on Open Systems, 2014: 72-77.
[5]	ABDLHAMED M , KIFAYAT K , SHI Q . Intrusion prediction systems[J]. Information Fusion for Cyber-Security Analytics, 2017,69(1): 155-174.
[6]	PARSAEI M , ROSTAMI S , JAVIDAN R . A hybrid data mining approach for intrusion detection on imbalanced NSL-KDD dataset[J]. International Journal of Advanced Computer Science and Applications, 2016,7(6): 20-25.
[7]	POZI M , SULAIMAN M , MUSTAPHA N . Improving anomalous rare sttack detection rate for intrusion detection system using support vector machine and genetic programming[J]. Neural Processing Letters, 2016,44(2): 279-290.
[8]	高妮, 高岭, 贺毅岳 . 基于自编码网络特征降维的轻量级入侵检测模型[J]. 电子学报, 2017,45(3): 730-739.
	GAO N , GAO L , HE Y Y . A lightweight intrusion detection model based on autoencoder network with feature reduction[J]. Acta Electronica Sinica, 2017,45(3): 730-739.
[9]	DIRO A , CHILAMKURTI N . Distributed attack detection scheme using deep learning approach for Internet of Things[J]. Future Generation Computer Systems, 2018,82(1): 761-768.
[10]	CHINCHORE R , SAMBARE S . Intrusion detection system by layered approach and hidden Markov model[J]. International Journal of Computer Application, 2015,5(2): 7-14.
[11]	CHAWLA NV , BOWYER KW , HALL LO ,et al. SMOTE:synthetic minority over-sampling technique[J]. Journal of Artificial Intelligence Research, 2002,16(1): 321-357.
[12]	HINTON G , SALAKHUTDINOV R . Reducing the dimensionality of data with neural networks[J]. Science, 2006,313(28): 504-507.
[13]	徐彬, 陈渤, 刘宏伟 . 基于注意循环神经网络模型的雷达高分辨率距离像目标识别[J]. 电子与信息学报, 2016,38(12): 2988-2995.
	XU B , CHEN B , LIU H W . Attention-based recurrent neural network model for radar high-resolution range prfile target recognition[J]// Journal of Electronics ＆ Information Technology, 2016,38(12): 2988-2995.
[14]	THANDA A , VENKATESAN S M . Audio visual speech recognition using deep recurrent neural networks[C]// IAPR Workshop on Multimodal Pattern Recognition of Social Signals in Human-Computer Interaction, 2016: 98-109.
[15]	GUAMAN F , JOTY S , MARQUEZ L ,et al. Machine translation evaluation with neural networks[J]. Computer Speech ＆ Language, 2017,45(1): 180-200.
[16]	JORDAN MI , . Attractor dynamics and parallelism in connectionist sequential machine[C]// Eighth Conference of the Cognitive Science Society, 1986: 531-546.
[17]	SONG J , TAKAKURA H , OKABE Y . Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation[C]// The Workshop on Building Analysis Datasets ＆ Gathering Experience Returns for Security. 2011: 29-36.
[18]	TAVALLAEE M , BAGHERI E , LU W . A detailed analysis of the KDD CUP 99 data set[C]// IEEE International Conference on Computational Intelligence for Security and Defense Applications. 2009: 53-58.

数据集	正常类别	攻击类别				总计
数据集	正常类别	DoS	Probing	R2L	U2R	总计
训练集	67 343	45 927	11 656	995	52	125 973
测试集	9 691	7 457	2 421	2 754	220	22 543

编号	训练集		测试集
编号	正常样本	攻击样本	正常样本	攻击样本
No.1	8 647	1 237	3 783	1 373
No.2	9 268	1 364	4 178	1 438
No.3	7 899	1 083	4 903	1 312
No.4	10 045	1 544	3 966	1 194
No.5	8 902	1 395	3 834	1 011
No.6	9 570	1 528	2 045	939

变量名称	变量值
最近邻半径	55
过采样率	600%
DRNN层数	5
输入层神经元个数	121
第一隐层神经元个数	100
第二隐层神经元个数	65
第三隐层神经元个数	35
输出层神经元个数	5
权重学习率	0.01
最大迭代次数	50

样本类别	评价指标	DRNN	DRNN+SMOTE	DRNN+RASMOTE
Normal	PRE	98.52%	98.66%	99.01%
	FAR	1.47%	1.28%	1.29%
DoS	PRE	97.92%	98.34%	98.76%
	FAR	2.27%	2.04%	1.97%
Probing	PRE	97.88%	98.56%	98.42%
	FAR	3.04%	1.54%	1.23%
R2L	PRE	69.26%	94.63%	95.39%
	FAR	32.78%	6.67%	3.99%
U2L	PRE	24.32%	92.54%	94.02%
	FAR	77.50%	7.27%	5.60%
模型训练时间T_train/s		2.68	3.24	2.93

样本类别	PRE
样本类别	CCNN+SMOTE^[7]	GPSVM^[8]	CHI-SVM^[3]	AN-SVM^[5]	DNN^[9]	LHMM^[10]	DRRS
Normal	—	—	96.10	99.68	99.52	—	99.01
DoS	—	91.32	98.87	99.89	97.00	98.43	98.76
Probing	—	85.50	95.80	98.83	98.56	98.61	98.42
R2L	92.97	90.72	76.92	87.58	71.00	31.32	95.39
U2L	55.91	89.28	96.37	18.31	71.00	86.66	94.02