基于LSTM与改进残差网络优化的异常流量检测方法

doi:10.11959/j.issn.1000-436x.2021109

Abstract

Abstract:

Problems such as a difficulty in feature selection and poor generalization ability were prone to occur when traditional method was exploited to detect abnormal network traffic.Therefore, an abnormal traffic detection method based on the long short term memory network (LSTM) and improved residual neural network optimization was proposed.Firstly, the features and attributes of network traffic were analyzed, and the variability of the feature values was reduced by preprocessing of network traffic.Then, a three-layer stacked LSTM network was designed to extract network traffic features of different depths.Moreover, the problem of weak adaptability of feature extraction was solved.Finally, an improved residual neural network with skipping connecting line was designed to optimize the LSTM.The defects of deep neural network such as overfitting and gradient vanishing were optimized.The accuracy of abnormal traffic detection was improved.Experimental results show that the proposed method has higher training accuracy and better visibility of data processing.The classification accuracy rates under two classifications and multiple classifications are 92.3% and 89.3%.It has the lowest false positive rate when the parameters such as precision rate and recall rate are optimal.Moreover, it has strong robustness when the sample is destroyed.Furthermore, better generalization ability can be achieved.

Key words: abnormal traffic detection, LSTM, data pooling layer, dilated convolution, improved residual neural network

CLC Number:

TP393.08

Wengang MA, Yadong ZHANG, Jin GUO. Abnormal traffic detection method based on LSTM and improved residual neural network optimization[J]. Journal on Communications, 2021, 42(5): 23-40.

Figures/Tables 25

References 25

[1]	张定华, 胡祎波, 曹国彦 ,等. 面向工业网络通信安全的数据流特征分析[J]. 西北工业大学学报, 2020,38(1): 199-208.
	ZHANG D H , HU Y B , CAO G Y ,et al. Dataflow feature analysis for industrial networks communication security[J]. Journal of Northwestern Polytechnical University, 2020,38(1): 199-208.
[2]	李赛飞, 闫连山, 郭伟 ,等. SD-SSDN:基于SDN架构的高速铁路信号系统安全数据网的安全管控研究[J]. 铁道学报, 2018,40(12): 81-92.
	LI S F , YAN L S , GUO W ,et al. SD-SSDN:software-defined signal safety data network for high-speed railway systems[J]. Journal of the China Railway Society, 2018,40(12): 81-92.
[3]	丁建文, 宋甲英, 林思雨 ,等. 基于GPRS分组交换网络的CTCS-3级列控系统车地安全数据传输的可行性[J]. 中国铁道科学, 2015,36(3): 119-126.
	DING J W , SONG J Y , LIN S Y ,et al. Feasibility of train-ground safe-ty data transmission for CTCS-3 train control system based on GPRS packet switching network[J]. China Railway Science, 2015,36(3): 119-126.
[4]	李赛飞, 闫连山, 李洪赭 ,等. 铁路通信网络安全的分析测试与可信防御研究[J]. 西南交通大学学报, 2018,53(6): 1130-1136,1149.
	LI S F , YAN L S , LI H Z ,et al. Analysis and testing of network secu-rity for China railway communication networks and proposed archi-tecture based on trusted computing[J]. Journal of Southwest Jiaotong University, 2018,53(6): 1130-1136,1149.
[5]	ZHANG X , ZHAO J B , LECUN Y . Character-level convolutional networks for text classification[C]// Advances in Neural Information Processing Systems. Massachusetts:MIT Press, 2015: 649-657.
[6]	LU X H , ZHENG B , VELIVELLI A ,et al. Enhancing text categorization with semantic-enriched representation and training data augmentation[J]. Journal of the American Medical Informatics Association, 2006,13(5): 526-535.
[7]	PARK S , KIM M , LEE S . Anomaly detection for HTTP using convolutional autoencoders[J]. IEEE Access, 2018,6: 70884-70901.
[8]	YU Y Q , LIU G , N YAN H B ,et al. Attention-based Bi-LSTM model for anomalous HTTP traffic detection[C]// 2018 15th International Conference on Service Systems and Service Management. Piscataway:IEEE Press, 2018: 1-6.
[9]	YANG W C , ZUO W , CUI B J . Detecting malicious URLs via a keyword-based convolutional gated-recurrent-unit neural network[J]. IEEE Access, 2019,7: 29891-29900.
[10]	CHORA? M , KOZIK R . Machine learning techniques applied to detect cyber attacks on web applications[J]. Logic Journal of the IGPL, 2015,23(1): 45-56.
[11]	KRUEGEL C , VIGNA G . Anomaly detection of Web-based attacks[C]// Proceedings of the 10th ACM conference on Computer and Communications security. New York:ACM Press, 2003: 251-261.
[12]	CORONA I , TRONCI R , GIACINTO G . SuStorID:a multiple classifier system for the protection of Web services[C]// Proceedings of the 21st International Conference on Pattern Recognition. Piscataway:IEEE Press, 2012: 2375-2378.
[13]	RINGBERG H , SOULE A , REXFORD J ,et al. Sensitivity of PCA for traffic anomaly detection[C]// ACM SIGMETRICS Performance Evaluation Review. New York:ACM Press, 2007,35(1): 109-120.
[14]	AL-OBEIDAT F , EL-ALFY E S M . Hybrid multicriteria fuzzy classification of network traffic patterns,anomalies,and protocols[J]. Personal and Ubiquitous Computing, 2019,23(5/6): 777-791.
[15]	ERFANI S M , RAJASEGARAR S , KARUNASEKERA S ,et al. High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning[J]. Pattern Recognition, 2016,58: 121-134.
[16]	DU M , LI F F , ZHENG G N ,et al. DeepLog:anomaly detection and diagnosis from system logs through deep learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 1285-1298.
[17]	ZHANG M , LU S B , XU B Y . An anomaly detection method based on multi-models to detect web attacks[C]// 2017 10th International Symposium on Computational Intelligence and Design. Piscataway:IEEE Press, 2017: 404-409.
[18]	高妮, 高岭, 贺毅岳 ,等. 基于自编码网络特征降维的轻量级入侵检测模型[J]. 电子学报, 2017,45(3): 730-739.
	GAO N , GAO L , HE Y Y ,et al. A lightweight intrusion detection model based on autoencoder network with feature reduction[J]. Acta Electronica Sinica, 2017,45(3): 730-739.
[19]	ALRAWASHDEH K , PURDY C . Toward an online anomaly intrusion detection system based on deep learning[C]// 2016 15th IEEE International Conference on Machine Learning and Applications. Piscataway:IEEE Press, 2016: 195-200.
[20]	李艳霞, 柴毅, 胡友强 ,等. 不平衡数据分类方法综述[J]. 控制与决策, 2019,34(4): 673-688.
	LI Y X , CHAI Y , HU Y Q ,et al. Review of imbalanced data classifica-tion methods[J]. Control and Decision, 2019,34(4): 673-688.
[21]	陈建廷, 向阳 . 深度神经网络训练中梯度不稳定现象研究综述[J]. 软件学报, 2018,29(7): 2071-2091.
	CHEN J T , XIANG Y . Survey of unstable gradients in deep neural network training[J]. Journal of Software, 2018,29(7): 2071-2091.
[22]	DAS T K , ADEPU S , ZHOU J Y . Anomaly detection in industrial control systems using logical analysis of data[J]. Computers ＆ Security, 2020,96: 101935.
[23]	宋勇, 侯冰楠, 蔡志平 . 基于深度学习特征提取的网络入侵检测方法[J]. 华中科技大学学报(自然科学版), 2021,49(2): 115-120.
	SONG Y , HOU B N , CAI Z P . Network intrusion detection method based on deep learning feature extraction[J]. Journal of Huazhong University of Science and Technology (Natural Science Edition), 2021,49(2): 115-120.
[24]	张兴兰, 尹晟霖 . 可变融合的随机注意力胶囊网络入侵检测模型[J]. 通信学报, 2020,41(11): 160-168.
	ZHANG X L , YIN S L . Intrusion detection model of random attention capsule network based on variable fusion[J]. Journal on Communica-tions, 2020,41(11): 160-168.
[25]	YANG J , LIANG G , LI B B ,et al. A deep-learning- and reinforcement-learning-based system for encrypted network malicious traffic detection[J]. Electronics Letters, 2021,57(9): 363-365.

Metrics

Recommended 0

No Suggested Reading articles found!

标签类别	训练集/个	测试集/个
Normal	67 343	9 711
Probe	11 656	2 421
DoS	45 927	7 458
R2L	995	2 754
U2R	52	200
合计	125 973	22 544

方法	Accuracy	方法	Accuracy
BP	78.2%	SVM	76.1%
LR	73.6%	CNN2	86.7%
KNN	82.4%	DNN2	87.2%
DT	83.6%	DBN	89.4%
RF	79.3%	LSTM	87.6%
RDF	83.5%	本文方法	92.3%

方法	类别	Precision	Recall	FPR	F-measure	AUC
BP	Normal	44.362%	76.342%	22.363%	56.116%	0.695
	Attack	78.325%	79.427%	19.635%	78.872%	0.687
LR	Normal	65.437%	73.635%	11.258%	69.294%	0.542
	Attack	79.654%	76.894%	25.634%	78.250%	0.593
KNN	Normal	75.724%	69.358%	9.365%	72.401%	0.753
	Attack	82.359%	72.417%	15.985%	77.069%	0.782
DT	Normal	73.612%	80.364%	4.952%	76.840%	0.714
	Attack	85.627%	82.348%	12.305%	83.956%	0.714
RF	Normal	58.952%	79.459%	6.654%	67.686%	0.728
	Attack	88.671%	81.872%	9.258%	85.136%	0.764
RDF	Normal	68.425%	82.328%	5.369%	74.736%	0.792
	Attack	85.654%	84.759%	8.258%	85.204%	0.792
SVM	Normal	52.872%	79.125%	18.675%	63.388%	0.826
	Attack	79.361%	82.388%	22.464%	80.846%	0.834
CNN2	Normal	70.821%	85.696%	3.254%	77.552%	0.865
	Attack	88.657%	87.397%	6.272%	88.022%	0.854
DNN2	Normal	74.258%	86.965%	2.359%	80.111%	0.756
	Attack	87.696%	88.564%	4.872%	88.128%	0.793
DBN	Normal	80.920%	89.781%	3.695%	85.121%	0.899
	Attack	89.471%	96.265%	4.259%	92.744%	0.863
LSTM	Normal	81.586%	89.820%	2.215%	85.505%	0.798
	Attack	89.214%	91.652%	3.269%	90.417%	0.779
本文方法	Normal	87.932%	93.587%	1.454%	90.671%	0.893
	Attack	93.625%	95.634%	2.651%	94.619%	0.883

方法	Accuracy	方法	Accuracy
BP	73.4%	SVM	82.1%
LR	72.6%	CNN2	84.7%
KNN	79.4%	DNN2	85.5%
DT	81.2%	DBN	88.4%
RF	83.3%	LSTM	83.7%
RDF	84.5%	本文方法	89.3%

方法			验证集					测试集
方法	Precision	Recall	FPR	F-measure	AUC	Precision	Recall	FPR	F-measure	AUC
文献[22]	89.34%	87.58%	6.96%	88.45%	0.885	86.12%	85.48%	7.43%	85.80%	0.871
文献[23]	85.68%	84.63%	5.27%	85.15%	0.876	83.47%	84.02%	6.84%	83.74%	0.852
文献[24]	92.41%	91.27%	4.65%	91.84%	0.913	89.68%	88.79%	5.02%	89.23%	0.897
文献[25]	94.57%	93.81%	2.58%	94.18%	0.934	91.59%	92.36%	3.36%	91.98%	0.911
本文方法	94.09%	94.19%	2.86%	94.14%	0.946	92.73%	93.28%	2.41%	93.01%	0.928

Abnormal traffic detection method based on LSTM and improved residual neural network optimization

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 25

References 25

Related Articles 11

Metrics

Recommended 0

方法	Accuracy			时间/s
方法	0.15	0.25	0.35	训练	测试
CNN2	81.971%	75.356%	71.642%	43.151	6.347
DNN2	83.594%	81.277%	79.706%	36.273	7.652
DBN	85.383%	82.922%	80.525%	39.482	8.526
LSTM	87.259%	85.934%	83.807%	27.496	4.258
文献[22]	85.417%	80.336%	79.634%	33.429	7.413
文献[23]	84.264%	81.228%	80.217%	35.472	7.231
文献[24]	87.678%	84.364%	81.369%	28.553	4.209
文献[25]	88.692%	85.697%	84.442%	30.664	5.214
本文方法	89.686%	89.326%	88.985%	29.147	4.384

[1]	Hongyan WANG, Hai YUAN. Action recognition method based on fusion of skeleton and apparent features [J]. Journal on Communications, 2022, 43(1): 138-148.
[2]	Yuntian FENG, Xia WU, Xiong XU, Rongqing ZHANG. Research on ionospheric parameters prediction based on deep learning [J]. Journal on Communications, 2021, 42(4): 202-206.
[3]	Ruizhang HUANG, Wenfan JIN, Yanping CHEN, Yongbin QIN, Qinghua ZHENG. Research on Chinese predicate head recognition based on Highway-BiLSTM network [J]. Journal on Communications, 2021, 42(1): 100-107.
[4]	Han ZHANG,Yongjin HU,Yuanbo GUO,Jicheng CHEN. Research on coreference resolution technology of entity in information security [J]. Journal on Communications, 2020, 41(2): 165-175.
[5]	WANG Li’na,GUO Xiaodong,WANG Run. Automated crowdturfing attack in Chinese user reviews [J]. Journal on Communications, 2019, 40(6): 1-13.
[6]	Run WANG,Benxiao TANG,Li’na WANG. DeepRD:LSTM-based Siamese network for Android repackaged applications detection [J]. Journal on Communications, 2018, 39(8): 69-82.
[7]	Shui-fei ZENG,Xiao-yan ZHANG,Xiao-feng DU,Tian-bo LU. New method of text representation model based on neural network [J]. Journal on Communications, 2017, 38(4): 86-98.
[8]	You-jun LI,Jia-jin HUANG,Hai-yuan WANG,Ning ZHONG. Study of emotion recognition based on fusion multi-modal bio-signal with SAE and LSTM recurrent neural network [J]. Journal on Communications, 2017, 38(12): 109-120.
[9]	Xiang-kun MU,Jin-song WANG,Yu-feng XUE,Wei HUANG. Abnormal network traffic detection approach based on alive entropy [J]. Journal on Communications, 2013, 34(Z2): 51-57.
[10]	. Abnormal network traffic detection approach based on alive entropy [J]. Journal on Communications, 2013, 34(Z2): 11-57.
[11]	Zhi-xin SUN,Yi-wei TANG,Jing GONG. Novel wobble-defended M-MULTOPS structure and its application in detecting network abnormal traffic [J]. Journal on Communications, 2007, 28(8): 92-98.