高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于联合注意力机制和一维卷积神经网络-双向长短期记忆网络模型的流量异常检测方法

尹梓诺 马海龙 胡涛

尹梓诺, 马海龙, 胡涛. 基于联合注意力机制和一维卷积神经网络-双向长短期记忆网络模型的流量异常检测方法[J]. 电子与信息学报, 2023, 45(10): 3719-3728. doi: 10.11999/JEIT220959
引用本文: 尹梓诺, 马海龙, 胡涛. 基于联合注意力机制和一维卷积神经网络-双向长短期记忆网络模型的流量异常检测方法[J]. 电子与信息学报, 2023, 45(10): 3719-3728. doi: 10.11999/JEIT220959
YIN Zinuo, MA Hailong, HU Tao. A Traffic Anomaly Detection Method Based on the Joint Model of Attention Mechanism and One-Dimensional Convolutional Neural Network-Bidirectional Long Short Term Memory[J]. Journal of Electronics & Information Technology, 2023, 45(10): 3719-3728. doi: 10.11999/JEIT220959
Citation: YIN Zinuo, MA Hailong, HU Tao. A Traffic Anomaly Detection Method Based on the Joint Model of Attention Mechanism and One-Dimensional Convolutional Neural Network-Bidirectional Long Short Term Memory[J]. Journal of Electronics & Information Technology, 2023, 45(10): 3719-3728. doi: 10.11999/JEIT220959

基于联合注意力机制和一维卷积神经网络-双向长短期记忆网络模型的流量异常检测方法

doi: 10.11999/JEIT220959
基金项目: 国家重点研发计划(2018YFB0804002)
详细信息
    作者简介:

    尹梓诺:女,博士生,研究方向为网络空间安全、网络流量异常检测等

    马海龙:男,副研究员,研究方向为网络空间内生安全技术、网络威胁智能检测以及新型网络体系等

    胡涛:男,助理研究员,研究方向为新型网络体系结构等

    通讯作者:

    尹梓诺 yinzinuo1997@163.com

  • 中图分类号: TN915.08; TP393

A Traffic Anomaly Detection Method Based on the Joint Model of Attention Mechanism and One-Dimensional Convolutional Neural Network-Bidirectional Long Short Term Memory

Funds: The National Key R&D Program of China (2018YFB0804002)
  • 摘要: 针对流量数据集中类别不平衡限制了分类模型对少数类攻击流量的检测性能这一问题,该文提出一种基于联合注意力机制和1维卷积神经网络-双向长短期记忆网络(1DCNN-BiLSTM)模型的流量异常检测方法。首先在数据预处理过程中利用BorderlineSMOTE方法对流量数据不平衡训练样本预处理,使得各类流量数据均衡,有助于后续模型对各类数据的充分训练。然后设计联合注意力机制和1DCNN-BiLSTM的模型对流量数据进行训练,提取流量数据的局部和长距离序列特征并进行分类,通过注意力机制将对分类有用的特征按其重要性赋予权值,提高对少数攻击类的检出率。实验结果表明,同几种现有方法相比,该文方法对NSL-KDD和CICIDS2017数据集的检测准确率最高(可达93.17%和98.65%),对NSL-KDD数据集中的提权攻击(U2R)攻击流量的检出率至少提升13.70%,证明了该文方法提升少数类攻击流量检出率的有效性。
  • 图  1  流量异常检测框架

    图  2  联合注意力机制和1DCNN-BiLSTM模型结构图

    图  3  1DCNN结构图

    图  4  BiLSTM结构图

    图  5  基于NSL-KDD数据集的多分类检出率

    图  6  基于NSL-KDD数据集的多分类检测精确率

    图  7  基于NSL-KDD数据集的多分类检测误报率

    图  8  基于NSL-KDD数据集的多分类检测F1-score

    算法1 正向LSTM和反向LSTM计算
    正向LSTM反向LSTM
    $ {{\mathbf{i}}_t} = \sigma ({{\mathbf{W}}_i}[{{\mathbf{h}}_{t - 1}},{{\mathbf{x}}_t}] + {{\mathbf{b}}_i}) $$ {{\boldsymbol{i}}_t} = \sigma ({{\boldsymbol{W}}_i}[{{\boldsymbol{h}}_{t + 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_i}) $
    $ {{\boldsymbol{f}}_t} = \sigma ({{\boldsymbol{W}}_f}[{{\boldsymbol{h}}_{t - 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_f}) $$ {{\boldsymbol{f}}_t} = \sigma ({{\boldsymbol{W}}_f}[{{\boldsymbol{h}}_{t + 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_f}) $
    $ {{\boldsymbol{g}}_t} = \tanh ({{\boldsymbol{W}}_c}[{{\boldsymbol{h}}_{t - 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_c}) $$ {{\boldsymbol{g}}_t} = \tanh ({{\boldsymbol{W}}_c}[{{\boldsymbol{h}}_{t + 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_c}) $
    $ {{\boldsymbol{C}}_t} = {{\boldsymbol{i}}_t} \odot {{\boldsymbol{g}}_t} + {{\boldsymbol{f}}_t} \odot {{\boldsymbol{C}}_{t - 1}} $$ {{\boldsymbol{C}}_t} = {{\boldsymbol{i}}_t} \odot {{\boldsymbol{g}}_t} + {{\boldsymbol{f}}_t} \odot {{\boldsymbol{C}}_{t + 1}} $
    $ {{\boldsymbol{o}}_t} = \sigma ({{\boldsymbol{W}}_o}[{{\boldsymbol{h}}_{t - 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_o}) $$ {{\boldsymbol{o}}_t} = \sigma ({{\boldsymbol{W}}_o}[{{\boldsymbol{h}}_{t + 1}},{{\boldsymbol{x}}_t}] + {{\boldsymbol{b}}_o}) $
    ${{\boldsymbol{h'}}_t} = {{\boldsymbol{o}}_t} \odot \tanh ({{\boldsymbol{C}}_t})$${{\boldsymbol{h''}}_t} = {{\boldsymbol{o}}_t} \odot \tanh ({{\boldsymbol{C}}_t})$
    下载: 导出CSV

    表  1  NSL-KDD数据集数据分布

    类别正常流量DoSProbeU2RR2L总计
    KDDTrain+_20Percent13 4499 2342 2891120925 192
    KDDTest+9 7117 4582 116200 3 05922 544
    下载: 导出CSV

    表  2  CICIDS2017数据集数据分布

    类别正常流量BotDDoSDoS GoldenEyeDoS HulkDoS SlowhttptestDoS SlowlorisFTP-Patator
    数量2 271 3201 956128 02510 293230 1245 4995 7967 935
    类别HeartbleedInfiltrationPortScanSSH-PatatorWeb Attack Brute ForceWeb Attack-SQL InjectionWeb Attack-XSS总计
    数量1136158 8042 8971 507216522 824 876
    下载: 导出CSV

    表  3  基于NSL-KDD数据集的二分类检测结果(%)

    模型采样方法准确率精确率检出率误报率F1-score
    MLP78.7390.5869.979.6978.92
    ROS79.0892.0369.348.0479.04
    BorderlineSMOTE79.9293.2671.026.7279.82
    RF80.1790.8472.469.6580.62
    ROS80.5290.7973.219.8181.06
    BorderlineSMOTE80.8890.1874.5310.7381.61
    CNN[19]81.4389.0476.9112.5882.38
    ROS82.1790.6576.559.9583.07
    BorderlineSMOTE84.2091.6978.968.8784.91
    BiLSTM[14]85.1880.1689.0317.7384.36
    ROS86.7392.4983.468.9687.74
    BorderlineSMOTE87.0192.5483.967.9588.04
    DTNB+MOEFS[23]83.0482.7982.2916.7382.54
    ROS85.9686.0285.1414.0985.58
    BorderlineSMOTE87.5788.4986.2013.3087.33
    1DCNN-BiLSTM84.3782.1685.0513.5683.58
    ROS86.1384.9286.2312.7485.57
    BorderlineSMOTE89.0688.4288.9210.3488.67
    本文模型88.9490.9089.5311.8490.20
    ROS89.5491.6689.7810.7990.71
    BorderlineSMOTE93.1793.5294.558.6494.03
    下载: 导出CSV

    表  4  基于CICIDS2017数据集的二分类检测结果(%)

    模型准确率精确率检出率误报率F1-score
    MLP94.0186.9493.005.6189.87
    CNN[19]95.6891.3693.433.2992.38
    BiLSTM[14]98.1492.8696.853.7494.81
    RF96.6193.2894.203.5193.74
    DTNB+MOEFS[23]96.8097.4096.703.7097.05
    联合注意力机制和1DCNN-BiLSTM模型98.6597.2199.773.0798.47
    下载: 导出CSV
  • [1] Statista Research Department. Number of internet of things (IoT) connected devices worldwide from 2019 to 2021, with forecasts from 2022 to 2030[EB/OL]. https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/, 2022.
    [2] SU Yu, QI Kaiyue, DI Chong, et al. Learning automata based feature selection for network traffic intrusion detection[C]. 2018 IEEE Third International Conference on Data Science in Cyberspace, Guangzhou, China, 2018: 622–627.
    [3] SYARIF I, PRUGEL-BENNETT A, and WILLS G. Unsupervised clustering approach for network anomaly detection[C]. 4th International Conference on Networked Digital Technologies, Berlin, Germany, 2012: 135–145.
    [4] BO Li and YUAN Chenyuan. The research of intrusion detection based on support vector machine[C]. 2009 International Conference on Computer and Communications Security, Hong Kong, China, 2009: 21–23.
    [5] TENGL S, ZHANG Zhenhua, TENG Luyao, et al. A collaborative intrusion detection model using a novel optimal weight strategy based on genetic algorithm for ensemble classifier[C]. 2018 IEEE 22nd International Conference on Computer Supported Cooperative Work in Design. Nanjing, China, 2018: 761–766.
    [6] SORNSUWIT P and JAIYEN S. Intrusion detection model based on ensemble learning for U2R and R2L attacks[C]. 2015 7th International Conference on Information Technology and Electrical Engineering, Chiang Mai, Thailand, 2015: 354–359.
    [7] NEGANDHI P, TRIVEDI Y, and MANGRULKAR R. Intrusion detection system using random forest on the NSL-KDD dataset[C]. Emerging Research in Computing, Information, Communication and Applications, Singapore, 2019: 519–531.
    [8] KORONIOTIS N, MOUSTAFA N, SITNIKOVA E, et al. Towards developing network forensic mechanism for botnet activities in the IoT based on machine learning techniques[C]. International Conference on Mobile Networks and Management, Cham, Switzerland, 2018: 30–44.
    [9] D'HOOGE L, WAUTERS T, VOLCKAERT B, et al. Inter-dataset generalization strength of supervised machine learning methods for intrusion detection[J]. Journal of Information Security and Applications, 2020, 54: 102564. doi: 10.1016/j.jisa.2020.102564
    [10] TANG T A, MHAMDI L, MCLERNON D, et al. Deep learning approach for network intrusion detection in software defined networking[C]. 2016 International Conference on Wireless Networks and Mobile Communications, Fez, Morocco, 2016: 258–263.
    [11] SHONE N, NGOC T N, PHAI V D, et al. A deep learning approach to network intrusion detection[J]. IEEE Transactions on Emerging Topics in Computational Intelligence, 2018, 2(1): 41–50. doi: 10.1109/TETCI.2017.2772792
    [12] 董书琴, 张斌. 基于深度特征学习的网络流量异常检测方法[J]. 电子与信息学报, 2020, 42(3): 695–703. doi: 10.11999/JEIT190266

    DONG Shuqin and ZHANG Bin. Network traffic anomaly detection method based on deep features learning[J]. Journal of Electronics &Information Technology, 2020, 42(3): 695–703. doi: 10.11999/JEIT190266
    [13] 缪祥华, 单小撤. 基于密集连接卷积神经网络的入侵检测技术研究[J]. 电子与信息学报, 2020, 42(11): 2706–2712. doi: 10.11999/JEIT190655

    MIAO Xianghua and SHAN Xiaoche. Research on intrusion detection technology based on densely connected convolutional neural networks[J]. Journal of Electronics &Information Technology, 2020, 42(11): 2706–2712. doi: 10.11999/JEIT190655
    [14] SIVAMOHAN S, SRIDHAR S S, and KRISHNAVENI S. An effective recurrent neural network (RNN) based intrusion detection via bi-directional long short-term memory[C]. 2021 International Conference on Intelligent Technologies (CONIT), Hubli, India, 2021: 1–5.
    [15] EBENUWA S H, SHARIF M S, ALAZAB M, et al. Variance ranking attributes selection techniques for binary classification problem in imbalance data[J]. IEEE Access, 2019, 7: 24649–24666. doi: 10.1109/ACCESS.2019.2899578
    [16] CHAWLA N V, BOWYER K W, HALL L O, et al. SMOTE: Synthetic minority over-sampling technique[J]. Journal of Artificial Intelligence Research, 2002, 16: 321–357. doi: 10.1613/jair.953
    [17] HE Haibo, BAI Yang, GARCIA E A, et al. ADASYN: Adaptive synthetic sampling approach for imbalanced learning[C]. 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence), Hong Kong, China, 2008: 1322–1328.
    [18] HE Haibo and GARCIA E A. Learning from imbalanced data[J]. IEEE Transactions on Knowledge and Data Engineering, 2009, 21(9): 1263–1284. doi: 10.1109/TKDE.2008.239
    [19] YU Yingwei and BIAN Naizheng. An intrusion detection method using few-shot learning[J]. IEEE Access, 2020, 8: 49730–49740. doi: 10.1109/ACCESS.2020.2980136
    [20] CHOWDHURY M M U, HAMMOND F, KONOWICZ G, et al. A few-shot deep learning approach for improved intrusion detection[C]. 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, USA, 2017: 456–462.
    [21] CHORAŚ M and PAWLICKI M. Intrusion detection approach based on optimised artificial neural network[J]. Neurocomputing, 2021, 452: 705–715. doi: 10.1016/j.neucom.2020.07.138
    [22] BEDI P, GUPTA N, and JINDAL V. I-SiamIDS: An improved Siam-IDS for handling class imbalance in network-based intrusion detection systems[J]. Applied Intelligence, 2021, 51(2): 1133–1151. doi: 10.1007/s10489-020-01886-y
    [23] PANIGRAHI R, BORAH S, PRAMANIK M, et al. Intrusion detection in cyber-physical environment using hybrid Naïve Bayes-Decision table and multi-objective evolutionary feature selection[J]. Computer Communications, 2022, 188: 133–144. doi: 10.1016/j.comcom.2022.03.009
  • 加载中
图(8) / 表(5)
计量
  • 文章访问数:  976
  • HTML全文浏览量:  369
  • PDF下载量:  235
  • 被引次数: 0
出版历程
  • 收稿日期:  2022-07-18
  • 修回日期:  2022-09-03
  • 网络出版日期:  2022-09-06
  • 刊出日期:  2023-10-31

目录

    /

    返回文章
    返回