计算机系统应用  2020, Vol. 29 Issue (6): 39-46 PDF

Network Packet Intrusion Detection Method Based on CNN and SVM
XU Xue-Li, DUAN Juan, XIAO Chuang-Bai, ZHANG Bin
Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
Foundation item: National Natural Science Foundation of China (61501008); Natural Science Foundation of Beijing Municipality (4172002, 4172012);Science and Technology Program of Beijing Municipality (Z171100004717001); Science and Technology Plan of Beijing Municipal Education Commission (KM201910005029);
Abstract: In order to further improve the accuracy of network anomaly detection, based on the analysis of existing intrusion detection methods, this study proposes a network packets intrusion detection method based on Convolutional Neural Networks (CNN) and Support Vector Machine (SVM). The method first preprocesses the data into a two-axis matrix. In order to prevent the algorithm model from over-fitting, the permutation function is used to randomly shuffle the data, and then the CNN is used to learn the effective features from the pre-processed data. Finally, this method uses SVM classifier to classify the vectors. In the dataset selection, we use the authoritative dataset commonly used in network intrusion detection—Kyoto University honeypot system dataset. This method proposed in this study is compared with the existing models with high detection rates, such as GRU-Softmax and GRU-SVM. The model has improved the highest accuracy by 19.39% and 12.83% respectively, which further improves the accuracy of network anomaly detection. At the same time, the method has greatly improved the training speed and test speed.
Key words: intrusion detection     Convolutional Neural Networks (CNN)     Support Vector Machine (SVM)     text classification     deep learning

1 引言

2 相关工作

3 基于CNN和SVM的报文入侵检测方法 3.1 数据预处理

3.2 CNN-SVM模型架构

3.3 CNN-SVM算法原理

 图 1 CNN-SVM模型结构图

 $ReLU(x) = \;\left\{ {\begin{array}{*{20}{c}} {0,}&{{\rm if}\;x \le \;0} \\ {x,}&{{\rm if}\;x\; > \;0} \end{array}} \right.$ (1)

 ${{\min}}\dfrac{1}{{{n}}}||{{w}}||_2^2 + C\displaystyle\sum\limits_{i = 1}^n {\max {{(0,1 - {{y'}_{{i}}}({w^{\rm T}}{x_i} + b))}^2}}$ (2)

4 实验结果与分析

4.1 评价指标

 $TPR = \dfrac{{TP}}{{TP + FN}}$ (3)
 $TNR = \dfrac{{TN}}{{TN + FP}}$ (4)
 $FPR = \dfrac{{FP}}{{FP + TN}}$ (5)
 $FNR = \dfrac{{FN}}{{FN + TP}}$ (6)

 $accr = \dfrac{{TP + TN}}{{TP + FN + FP + TN}}$ (7)
 $recall = \dfrac{{TP}}{{TP + FN}}$ (8)
 $precision = \dfrac{{TP}}{{TP + FP}}$ (9)
 $e{{rr}}or = \dfrac{{FP + FN}}{{TP + FN + FP + TN}}$ (10)

4.2 实验结果

3种模型的训练时间如表10所示, 其中本文模型CNN-SVM的训练和测试时间都优于其它两个模型. 3种模型的在训练数据集中的准确率和测试数据集中的准确率如图2图3所示, 从示意图中能够看出, 本文模型在训练数据以及测试数据上准确率都高于其它两种模型.

 图 2 3种模型在训练数据集中的准确率对比

 图 3 3种模型在测试数据集中的准确率对比

3种模型训练时的损失变化曲线如图4图5图6所示.

 图 4 CNN-SVM模型训练的损失变化曲线

 图 5 GRU-SVM模型训练的损失变化曲线

 图 6 GRU-Softmax模型训练的损失变化曲线

5 总结与展望

 [1] Bukhtoyarov V, Semenkin E. Neural networks ensemble approach for detecting attacks in computer networks. Proceedings of 2012 IEEE Congress on Evolutionary Computation. Brisbane, Australia. 2012. 1–6. [2] 张永良, 张智勤, 吴鸿韬, 等. 基于改进卷积神经网络的周界入侵检测方法. 计算机科学, 2017, 44(3): 182-186. DOI:10.11896/j.issn.1002-137X.2017.03.039 [3] Roy DB, Chaki R. State of the art analysis of network traffic anomaly detection. Proceedings of 2014 Applications and Innovations in Mobile Computing. Kolkata, India. 2014. 186–192. [4] Zhao L, Wang F. An efficient entropy-based network anomaly detection method using MIB. Proceedings of 2014 IEEE International Conference on Progress in Informatics and Computing. Shanghai, China. 2014. 428–432. [5] Yin CL, Zhu YF, Fei JL, et al. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access, 2017, 5: 21954-21961. DOI:10.1109/ACCESS.2017.2762418 [6] Yin YB, Yang WZ, Yang HT, et al. Research on short text classification algorithm based on convolutional neural network and KNN. Computer Engineering, 2018, 44(7): 193-198. [7] Bloehdorn S, Hotho A. Boosting for text classification with semantic features. Proceedings of the 6th International Workshop on Knowledge Discovery on the Web, WebKDD 2004. Seattle, WA, USA. 2004. 149–166. [8] Sun AX, Lim EP, Liu Y. On strategies for imbalanced text classification using SVM: A comparative study. Decision Support Systems, 2009, 48(1): 191-201. DOI:10.1016/j.dss.2009.07.011 [9] Song J, Huang XL, Qin SJ, et al. A bi-directional sampling based on K-means method for imbalance text classification. Proceedings of the IEEE/ACIS 15th International Conference on Computer and Information Science. Okayama, Japan. 2016. 1–5. [10] 程岚岚, 何丕廉, 孙越恒. 基于朴素贝叶斯模型的中文关键词提取算法研究. 计算机应用, 2005, 25(12): 2780-2782. [11] Pal M, Mather P M. An assessment of the effectiveness of decision tree methods for land cover classification. Remote Sensing of Environment, 2003, 86(4): 554-565. DOI:10.1016/S0034-4257(03)00132-9 [12] LeCun Y, Bengio Y, Hinton G. Deep learning. Nature, 2015, 521(7553): 436-444. DOI:10.1038/nature14539 [13] 张玉清, 董颖, 柳彩云, 等. 深度学习应用于网络空间安全的现状、趋势与展望. 计算机研究与发展, 2018, 55(6): 1117-1142. DOI:10.7544/issn1000-1239.2018.20170649 [14] Al-Subaie M, Zulkernine M. The power of temporal pattern processing in anomaly intrusion detection. Proceedings of 2007 IEEE International Conference on Communications. Glasgow, UK. 2007. 1391–1398. [15] Kang MJ, Kang JW. Intrusion detection system using deep neural network for in-vehicle network security. PLoS One, 2016, 11(6): e0155781. DOI:10.1371/journal.pone.0155781 [16] Wu KH, Chen ZG, Li W. A novel intrusion detection model for a massive network using convolutional neural networks. IEEE Access, 2018, 6: 50850-50859. DOI:10.1109/ACCESS.2018.2868993 [17] Wang Q, Megalooikonomou V. A clustering algorithm for intrusion detection. Proceedings of the SPIE 5812, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2005. Orlando, FL, USA. 2005. 31–38. [18] Zhang J, Zulkernine M. Anomaly based network intrusion detection with unsupervised outlier detection. Proceedings of 2006 IEEE International Conference on Communications. Istanbul, Turkey. 2006. 2388–2393. [19] Wang ZH. Unsupervised intrusion detection algorithm based on association amendment. Proceedings of the 2014 11th International Conference on Fuzzy Systems and Knowledge Discovery. Xiamen, China. 2014. 909–913. [20] Kim J, Shin N, Jo SY, et al. Method of intrusion detection using deep neural network. Proceedings of 2017 IEEE International Conference on Big Data and Smart Computing. Jeju, Republic of South Korea. 2017. 313–316. [21] Dong B, Wang X. Comparison deep learning method to traditional methods using for network intrusion detection. Proceedings of the 2016 8th IEEE International Conference on Communication Software and Networks. Beijing, China. 2016. 581–585. [22] Kwon D, Natarajan K, Suh SC, et al. An empirical study on network anomaly detection using convolutional neural networks. Proceedings of the 2018 IEEE 38th International Conference on Distributed Computing Systems. Vienna, Austria. 2018. 1595–1598. [23] Roy SS, Mallik A, Gulati R, et al. A deep learning based artificial neural network approach for intrusion detection. Proceedings of the Third International Conference on Mathematics and Computing. Haldia, India. 2017. 44–53. [24] Song J, Takakura H, Okabe Y. Description of Kyoto University benchmark data. http://www.takakura.com/Kyoto_data/BenchmarkData-Description-v5.pdf. (2016-03-15). [25] Stolfo SJ, Fan W, Lee W, et al. Cost-based modeling and evaluation for data mining with application to fraud and intrusion detection: Results from the JAM project [Technical report]. New York: Columbia University. 2000. [26] 周飞燕, 金林鹏, 董军. 卷积神经网络研究综述. 计算机学报, 2017, 40(6): 1229-1251. DOI:10.11897/SP.J.1016.2017.01229 [27] Agarap AFM. A neural network architecture combining Gated Recurrent Unit (GRU) and Support Vector Machine (SVM) for intrusion detection in network traffic data. Proceedings of the 2018 10th International Conference on Machine Learning and Computing. Macau, China. 2018. 26–30.