基于Transformer与BiLSTM的网络流量入侵检测

doi:10.19678/j.issn.1000-3428.0065135

摘要/Abstract

摘要： 网络流量入侵检测技术对主机和平台安全起着重要作用。目前常采用机器学习和深度学习技术进行网络流量入侵检测，然而相关数据集的不平衡问题导致模型偏向于学习多数类数据的特征而忽视少数类数据的特征，严重影响了检测准确率。结合SMOTE算法和生成对抗网络（GAN）构建OSW模型对训练数据进行预处理，通过Wasserstein GAN学习少数类数据分布情况，避免边缘分布问题，构造平衡数据集。建立基于Transformer与双向长短时记忆-深度神经网络（BiLSTM-DNN）的TBD入侵检测模型，使用Transformer中的编码器捕捉全局联系并对输入数据进行初步特征提取，利用BiLSTM网络进行长距离依赖特征提取保留数据的序列化特征，采用DNN进一步提取深层次特征，最终通过Softmax分类器获得分类结果。在NSL_KDD数据集上的实验结果表明，在进行数据平衡处理后TBD模型的二分类和五分类任务检测准确率分别达到90.3%和79.8%，均高于对比的深度神经网络模型以及机器学习算法。

关键词: 入侵检测, 多头注意力, 双向长短时记忆网络, 深度神经网络, 数据平衡处理

Abstract: Intrusion detection technology based on network traffic plays a critical role in host and platform security. Currently, machine learning and deep learning are often used for network traffic intrusion detection.However, the imbalance in datasets causes the model to tend to learn the features of the majority class data and ignore the features of the minority class data, adversely affecting the accuracy of the network intrusion detection model.Therefore, the Synthetic Minority Oversampling Technique(SMOTE) algorithm and the Generative Adversarial Network(GAN) is combined to construct a model, called OSW, to preprocess the training data.The minority class data distribution is learned through Wasserstein GAN(WGAN) to prevent the problem of marginal distribution and construct a balanced dataset.In addition, an intrusion detection model based on the Transformer and Bidirectional Long Short-Term Memory Deep Neural Network(BiLSTM-DNN), called TBD, is built.The encoder part of the transformer is used to globally capture the connection, and preliminary feature extraction is performed on the input data.The BiLSTM network is used to perform long-distance-dependent feature extraction to retain the serialized features of the data, and DNN is used to further extract deep-level features.The classification results are obtained using the Softmax classifier.The NSL_KDD dataset is used in the experiment. The experimental results show that after the dataset balance processing, the TBD model achieves 90.3% accuracy for the two-class task and 79.8% for the five-class task, which are both higher than those of the comparative deep learning network models and machine learning algorithms.

Key words: intrusion detection, multi-head attention, Bidirectional Long Short-Term Memory(BiLSTM) network, Deep Neural Network(DNN), data balance processing

中图分类号:

TP393.08

石磊, 张吉涛, 高宇飞, 卫琳, 陶永才. 基于Transformer与BiLSTM的网络流量入侵检测[J]. 计算机工程, 2023, 49(3): 29-36,57.

SHI Lei, ZHANG Jitao, GAO Yufei, WEI Lin, TAO Yongcai. Intrusion Detection of Network Traffic Based on Transformer and BiLSTM[J]. Computer Engineering, 2023, 49(3): 29-36,57.

http://www.ecice06.com/CN/Y2023/V49/I3/29

图/表 12

20230314184318

20230314184321

20230314184325

20230314184328

20230314184331

20230314184334

20230314184338

20230314184341

20230314184344

20230314184349

20230314184352

20230314184355

参考文献

[1] SULTANA N, CHILAMKURTI N, PENG W, et al.Survey on SDN based network intrusion detection system using machine learning approaches[J].Peer-to-Peer Networking and Applications, 2019, 12(2):493-501.
[2] FARHAN B I, JASIM A D.A survey of intrusion detection using deep learning in Internet of Things[J].IRAQI Journal for Computer Science and Mathematics, 2022, 3(1):83-93.
[3] 刘奇旭, 陈艳辉, 尼杰硕, 等.基于机器学习的工业互联网入侵检测综述[J].计算机研究与发展, 2022, 59(5):994-1014. LIU Q X, CHEN Y H, NI J S, et al.Survey on machine learning-based anomaly detection for industrial Internet[J].Journal of Computer Research and Development, 2022, 59(5):994-1014.(in Chinese)
[4] 周杰英, 贺鹏飞, 邱荣发, 等.融合随机森林和梯度提升树的入侵检测研究[J].软件学报, 2021, 32(10):3254-3265. ZHOU J Y, HE P F, QIU R F, et al.Research on intrusion detection based on random forest and gradient boosting tree[J].Journal of Software, 2021, 32(10):3254-3265.(in Chinese)
[5] 张玲, 张建伟, 桑永宣, 等.基于随机森林与人工免疫的入侵检测算法[J].计算机工程, 2020, 46(8):146-152. ZHANG L, ZHANG J W, SANG Y X, et al.Intrusion detection algorithm based on random forest and artificial immunity[J].Computer Engineering, 2020, 46(8):146-152.(in Chinese)
[6] 戚名钰, 刘铭, 傅彦铭.基于PCA的SVM网络入侵检测研究[J].信息网络安全, 2015(2):15-18. QI M Y, LIU M, FU Y M.Research on network intrusion detection using support vector machines based on principal component analysis[J].Netinfo Security, 2015(2):15-18.(in Chinese)
[7] 王旭仁, 马慧珍, 冯安然, 等.基于信息增益与主成分分析的网络入侵检测方法[J].计算机工程, 2019, 45(6):175-180. WANG X R, MA H Z, FENG A R, et al.Network intrusion detection method based on information gain and principal components analysis[J].Computer Engineering, 2019, 45(6):175-180.(in Chinese)
[8] ZHANG H, LI J L, LIU X M, et al.Multi-dimensional feature fusion and stacking ensemble mechanism for network intrusion detection[J].Future Generation Computer Systems, 2021, 122:130-143.
[9] 张玉清, 董颖, 柳彩云, 等.深度学习应用于网络空间安全的现状、趋势与展望[J].计算机研究与发展, 2018, 55(6):1117-1142. ZHANG Y Q, DONG Y, LIU C Y, et al.Situation, trends and prospects of deep learning applied to cyberspace security[J].Journal of Computer Research and Development, 2018, 55(6):1117-1142.(in Chinese)
[10] AL-TURAIKI I, ALTWAIJRY N.A convolutional neural network for improved anomaly-based network intrusion detection[J].Big Data, 2021, 9(3):233-252.
[11] SINGH N B, SINGH M M, SARKAR A, et al.A novel wide & deep transfer learning stacked GRU framework for network intrusion detection[J].Journal of Information Security and Applications, 2021, 61:102899.
[12] NGUYEN M T, KIM K.Genetic convolutional neural network for intrusion detection systems[J].Future Generation Computer Systems, 2020, 113:418-427.
[13] 刘月峰, 蔡爽, 杨涵晰, 等.融合CNN与BiLSTM的网络入侵检测方法[J].计算机工程, 2019, 45(12):127-133. LIU Y F, CAI S, YANG H X, et al.Network intrusion detection method integrating CNN and BiLSTM[J].Computer Engineering, 2019, 45(12):127-133.(in Chinese)
[14] 石乐义, 朱红强, 刘祎豪, 等.基于相关信息熵和CNN-BiLSTM的工业控制系统入侵检测[J].计算机研究与发展, 2019, 56(11):2330-2338. SHI L Y, ZHU H Q, LIU W H, et al.Intrusion detection of industrial control system based on correlation information entropy and CNN-BiLSTM[J].Journal of Computer Research and Development, 2019, 56(11):2330-2338.(in Chinese)
[15] 马明艳.基于深度学习的多分类入侵检测研究[D].南京:南京邮电大学, 2021. MA M Y.Research on multi-class intrusion detection based on deep learning[D].Nanjing:Nanjing University of Posts and Telecommunications, 2021.(in Chinese)
[16] 生龙, 袁丽娜, 武南南, 等.基于GSA与DE优化混合核ELM的网络异常检测模型[J].计算机工程, 2022, 48(6):146-153. SHENG L, YUAN L N, WU N N, et al.Network anomaly detection model based on GSA and DE optimizing hybrid kernel ELM[J].Computer Engineering, 2022, 48(6):146-153.(in Chinese)
[17] 魏思政, 刘厚泉, 赵志凯.基于DBN-ELM的入侵检测研究[J].计算机工程, 2018, 44(9):153-158. WEI S Z, LIU H Q, ZHAO Z K.Research on intrusion detection based on DBN-ELM[J].Computer Engineering, 2018, 44(9):153-158.(in Chinese)
[18] JOHNSON J M, KHOSHGOFTAAR T M.Survey on deep learning with class imbalance[J].Journal of Big Data, 2019, 6(1):1-14.
[19] FERNANDO K R M, TSOKOS C P.Dynamically weighted balanced loss:class imbalanced learning and confidence calibration of deep neural networks[J].IEEE Transactions on Neural Networks and Learning Systems, 2022, 33(7):2940-2951.
[20] LIU L, WANG P C, LIN J, et al.Intrusion detection of imbalanced network traffic based on machine learning and deep learning[J].IEEE Access, 2020, 9:7550-7563.
[21] JEATRAKUL P, WONG K W, FUNG C C.Classification of imbalanced data by combining the complementary neural network and SMOTE algorithm[C]//Proceedings of the 17th International Conference on Neural Information Processing:Models and Applications.New York, USA:ACM Press, 2010:152-159.
[22] ARJOVSKY M, CHINTALA S, BOTTOU L.Wasserstein GAN[EB/OL].[2022-06-13].https://arxiv.org/abs/1701.07875.
[23] TAVALLAEE M, BAGHERI E, LU W, et al.A detailed analysis of the KDD CUP 99 data set[C]//Proceedings of IEEE Symposium on Computational Intelligence for Security and Defense Applications.Washington D.C., USA:IEEE Press, 2009:1-6.
[24] ZHU X, SOBIHANI P, GUO H.Long short-term memory over recursive structures[C]//Proceedings of the 32nd International Conference on Machine Learning.New York, USA:ACM Press, 2015:1604-1612.
[25] HE H B, GARCIA E A.Learning from imbalanced data[J].IEEE Transactions on Knowledge and Data Engineering, 2009, 21(9):1263-1284.
[26] GAMAGE S, SAMARABANDU J.Deep learning methods in network intrusion detection:a survey and an objective comparison[J].Journal of Network and Computer Applications, 2020, 169:102767.

选择文件类型/文献管理软件名称

选择包含的内容