一种基于少样本且不均衡的网络攻击流量检测系统

A Network Attack Traffic Detection System Based on a Small Sample and Imbalanced Data

为解决网络攻击流量检测中使用的有监督学习方法严重依赖标签数据规模的问题,针对一种少样本且不均衡的攻击流量检测场景,即训练数据仅包含少量蜜罐捕获的攻击流量且无正常流量,设计了一个攻击流量检测系统,并构建了基于孪生网络和深度学习卷积神经网络(CNN)的网络攻击流量检测模型(CNN-Siamese),以实现少样本且不均衡的攻击流量检测目的;随后为了解决CNN-Simaese在训练样本对构造采样时造成的预测不稳定的问题,结合迁移学习的思路,构建了基于预训练的检测模型(AE-CNN-Siamese);此外,对孪生网络中常用的对比损失函数进行了改进.实验结果表明:CNN-Siamese可以准确地检测攻击流量,与CNN、CNN-SVM相比,在漏报率无明显差距情况下,可将误报率从30%降低至2%;AE-CNN-Siamese的预测结果比CNN-Siamese更稳定;改进后的损失函数提高了模型的收敛速度,加速了模型训练.

In order to solve the problem that the supervised learning method used in network attack traffic detection relies heavily on the scale of label data,an attack traffic detection system is designed and a network attack traffic detection model(CNN-Siamese)based on siamese network and deep learning convolutional neural network(CNN)is built to achieve the purpose of few-shot and uneven attack traffic detection.Subsequently,a pre-trained detection model AE-CNN-Siamese was constructed,adopting the idea of migration learning,to solve the problem of unstable prediction caused by CNN-Simaese on obtaining training samples.In addition,the contrastive loss function commonly used in a siamese network is improved.The experimental results show that CNN-Siamese can accurately detect attack traffic.Compared with CNN and CNN-SVM,it can correct the error when there is no significant gap in the false negative rate.The reporting rate is reduced from 30%to 2%;the prediction result of AE-CNN-Sia-mese is more stable than that of CNN-Siamese;the improved loss function improves the convergence speed of the model and accelerates model training.