基于堆叠卷积注意力的网络流量异常检测模型

doi:10.19678/j.issn.1000-3428.0063443

摘要/Abstract

摘要： 入侵检测系统（IDS）在发现网络异常和攻击方面发挥着重要作用，但传统IDS误报率较高，不能准确分析和识别异常流量。目前，深度学习技术被广泛应用于网络流量异常检测，但仅仅采用简单的深度神经网络（DNN）模型难以有效提取流量数据中的重要特征。针对上述问题，提出一种基于堆叠卷积注意力的DNN网络流量异常检测模型。通过堆叠多个以残差模块连接的注意力模块增加网络模型深度，同时在注意力模块中引入卷积神经网络、池化层、批归一化层和激活函数层，防止模型过拟合并提升模型性能，最后在DNN模型中得到输出向量。基于NSL-KDD数据集对模型性能进行评估，将数据集预处理生成二进制特征，采用多分类、二分类方式验证网络流量异常检测效果。实验结果表明，该模型性能优于KNN、SVM等机器学习模型和ANN、AlertNet等深度学习模型，其在多分类任务中识别准确率为0.807 6，较对比模型提高0.034 0~0.097 5，在二分类任务中准确率和F1分数为0.860 0和0.863 8，较对比模型提高0.013 0~0.098 8和0.030 6~0.112 8。

关键词: 网络流量异常检测, 入侵检测系统, 深度神经网络, 堆叠卷积注意力, 二进制特征

Abstract: Intrusion Detection System(IDS) plays an important role in discovering network anomalies and attacks. However, a traditional IDS has a high false alarm rate, and it is difficult to effectively analyze and identify abnormal traffic.In recent years, deep learning technology has been successfully used in the detection of network traffic anomalies, but it is difficult to accurately extract important features from traffic data using simple Deep Neural Network(DNN) models.To address these problems, this study proposes a DNN network traffic anomaly detection model based on stacked convolutional attention.It stacks multiple attention modules connected by residual modules to deepen the depth of the network model and introduces Convolutional Neural Network(CNN), pooling layer, batch normalization layer, and activation function layer in the attention module to prevent overfitting and improve the performance of the model. Finally, the output vector is obtained in DNN model.Furthermore, the NSL-KDD dataset is used to evaluate the proposed model.The dataset is preprocessed to generate binary features, and then multiple classification and binary classification methods are used to test the effect of network traffic anomaly detection.Through comparison with machine learning models such as KNN and SVM, and deep learning models such as ANN and AlertNet, the experimental results show that the accuracy, precision, and F1 score of the proposed model are better than those listed in the paper.In the multiple classification task, the recognition accuracy rate is 0.807 6, which is 0.034 0~0.097 5 higher than that of the comparison models, and the accuracy rate and F1 score are 0.860 0 and 0.863 8 in the binary classification task, respectively, which are 0.013 0~0.098 8 and 0.030 6~0.112 8 higher than those of the comparison models.

Key words: network traffic anomaly detection, Intrusion Detection System(IDS), Deep Neural Network(DNN), stacked convolutional attention, binary feature

中图分类号:

TP181

董卫宇, 李海涛, 王瑞敏, 任化娟, 孙雪凯. 基于堆叠卷积注意力的网络流量异常检测模型[J]. 计算机工程, 2022, 48(9): 12-19.

DONG Weiyu, LI Haitao, WANG Ruimin, REN Huajuan, SUN Xuekai. Network Traffic Anomaly Detection Model Based on Stacked Convolutional Attention[J]. Computer Engineering, 2022, 48(9): 12-19.

http://www.ecice06.com/CN/Y2022/V48/I9/12

图/表 8

20220917172547

20220917172550

20220917172554

20220917172558

20220917172601

20220917172605

20220917172609

20220917172612

参考文献

[1] ZHOU Y C, XU W.Angler exploit kit continues to evade detection:over 90, 000 websites compromised[EB/OL].(2016-01-11)[2021-11-15].https://unit42.paloaltonetworks.com/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised.
[2] PAGANINI P.ERMAC, a new banking Trojan that borrows the code from Cerberus malware[EB/OL].(2021-09-28)[2021-11-15].https://securityaffairs.co/wordpress/122657/malware/ermac-banking-trojan.html.
[3] O'NEILL P H.2021 has broken the record for zero-day hacking attacks[EB/OL].(2021-09-23)[2021-11-15].https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons.
[4] THOTTAN M, LIU G L, JI C Y.Anomaly detection app-roaches for communication networks[M]//CORMODE G, THOTTAN M.Algorithms for next generation networks.Berlin, Germany:Springer, 2010:239-261.
[5] CHANDOLA V, BANERJEE A, KUMAR V.Anomaly detection:a survey[J].ACM Computing Surveys, 2009, 41(3):1-58.
[6] BOCHKOVSKIY A, WANG C Y, LIAO H Y M.YOLOv4:optimal speed and accuracy of object detection[EB/OL].(2020-04-23)[2021-11-15].https://arxiv.org/abs/2004.10934.
[7] VASWANI A, SHAZEER N, PARMAR N, et al.Attention is all you need[EB/OL].(2017-06-12)[2021-11-15].https://arxiv.org/abs/1706.03762.
[8] AGARAP A F M.A neural network architecture combining Gated Recurrent Unit(GRU) and Support Vector Machine(SVM) for intrusion detection in network traffic data[C]//Proceedings of the 10th International Conference on Machine Learning and Computing.New York, USA:ACM Press, 2018:26-30.
[9] SONG J, TAKAKURA H, OKABE Y.Description of Kyoto University benchmark data[EB/OL].(2016-03-15)[2021-11-15].http://www.takakura.com/Kyoto_data/BenchmarkData-Description-v5.pdf.
[10] 侯爱华, 高伟, 汪霖.基于逻辑回归模型的流量异常检测方法研究[J].工程数学学报, 2017, 34(5):479-489. HOU A H, GAO W, WANG L.Research on traffic anomaly detection method based on the logistic regression model[J].Chinese Journal of Engineering Mathematics, 2017, 34(5):479-489.(in Chinese)
[11] WANG W, ZHU M, ZENG X W, et al.Malware traffic classification using convolutional neural network for representation learning[C]//Proceedings of International Conference on Information Networking.Washington D.C., USA:IEEE Press, 2017:712-717.
[12] WANG W, ZHU M, WANG J L, et al.End-to-end encrypted traffic classification with one-dimensional convolution neural networks[C]//Proceedings of IEEE International Conference on Intelligence and Security Informatics.Washington D.C., USA:IEEE Press, 2017:43-48.
[13] YU Y, LONG J, CAI Z P.Network intrusion detection through stacking dilated convolutional autoencoders[J].Security and Communication Networks, 2017, 2017:1-10.
[14] RADFORD B J, APOLONIO L M, TRIAS A J, et al.Network traffic anomaly detection using recurrent neural networks[EB/OL].(2018-05-28)[2021-11-15].https://arxiv.org/abs/1803.10769.
[15] CLAISE B, TRAMMELL B, AITKEN P.Specification of the IP Flow Information Export(IPFIX) protocol for the exchange of flow information-2013[S].RFC 7011, Internet Engineering Task Force, 2013:2070-1721.
[16] KWON D, NATARAJAN K, SUH S C, et al.An empirical study on network anomaly detection using convolutional neural networks[C]//Proceedings of the 38th International Conference on Distributed Computing Systems.Washington D.C., USA:IEEE Press, 2018:1595-1598.
[17] MA C C, DU X H, CAO L F.Analysis of multi-types of flow features based on hybrid neural network for improving network anomaly detection[J].IEEE Access, 2019, 7:148363-148380.
[18] 杭梦鑫, 陈伟, 张仁杰.基于改进的一维卷积神经网络的异常流量检测[J].计算机应用, 2021, 41(2):433-440. HANG M X, CHEN W, ZHANG R J.Abnormal flow detection based on improved one-dimensional convolutional neural network[J].Journal of Computer Applications, 2021, 41(2):433-440.(in Chinese)
[19] GAO M H, MA L, LIU H, et al.Malicious network traffic detection based on deep neural networks and association analysis[J].Sensors(Basel, Switzerland), 2020, 20(5):1452.
[20] INGRE B, YADAV A.Performance analysis of NSL-KDD dataset using ANN[C]//Proceedings of International Conference on Signal Processing and Communication Engineering Systems.Washington D.C., USA:IEEE Press, 2015:92-96.
[21] LI Z, ZHENG Q, KAI H, et al.Intrusion detection using convolutional neural networks for representation learning[C]//Proceedings of International Conference on Neural Information Processing.Berlin, Germany:Springer, 2017:858-866.
[22] ALTWAIJRY N, ALQAHTANI A, ALTURAIKI I.A deep learning approach for anomaly-based network intrusion detection[C]//Proceedings of International Conference on Big Data and Security.Berlin, Germany:Springer, 2019:603-615.
[23] HE K M, ZHANG X Y, REN S Q, et al.Deep residual learning for image recognition[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition.Washington D.C., USA:IEEE Press, 2016:770-778.
[24] KINGAD A J B.A method for stochastic optimization[C]//Proceedings of International Conference on Learning Representations.San Diego, USA:[s.n.], 2015:1-10.
[25] TAVALLAEE M, BAGHERI E, LU W, et al.A detailed analysis of the KDD CUP 99 data set[C]//Proceedings of IEEE Symposium on Computational Intelligence for Security and Defense Applications.Washington D.C., USA:IEEE Press, 2009:1-6.
[26] IOFFE S, SZEGEDY C.Batch normalization:accelerating deep network training by reducing internal covariate shift[C]//Proceedings of International Conference on Machine Learning.Guangzhou, China:[s.n.], 2015:448-456.
[27] GLOROT X, BORDES A, BENGIO Y.Deep sparse rectifier neural networks[C]//Proceedings of the 14th International Conference on Artificial Intelligence and Statistics.Ft.Lauderdale, USA:[s.n.], 2011:315-323.
[28] CHANSONG D, SUPRATID S.Impacts of kernel size on different resized images in object recognition based on convolutional neural network[C]//Proceedings of the 9th International Electrical Engineering Congress.Washington D.C., USA:IEEE Press, 2021:448-451.
[29] YOU K C, LONG M S, WANG J M, et al.How does learning rate decay help modern neural networks?[EB/OL].(2019-09-26).[2021-11-15].https://arxiv.org/abs/1908.01878.

选择文件类型/文献管理软件名称

选择包含的内容