摘要
针对深度学习入侵检测中出现的数据类不平衡及特征学习不全面等问题,提出了一种基于卷积神经网络(CNN)与双向门控循环单元(BiGRU)融合的神经网络入侵检测模型。通过SMOTE-Tomek算法完成对数据集的平衡处理,使用基于平均不纯度减少的特征重要性算法实现特征选择,将CNN和BiGRU模型进行特征融合并引入注意力机制进行特征提取,从而提高模型的总体检测性能。使用入侵检测数据集CSE-CIC-IDS2018进行多分类实验,并与经典单一深度学习模型进行对比。实验结果表明:在数据集平衡方面,经SMOTE-Tomek算法处理,DoS attacks-Slow HTTP Test识别准确率从0提升至34.66%,SQL Injection识别准确率从0提升至100%,DDoS attack-LOIC-UDP、Brute Force-Web和Brute Force-XSS分别提升了5.22百分点、6.55百分点和35.71百分点,证明了平衡后的数据集较未经过处理的数据集在少数类的识别精度上提升明显。在模型的总体检测性能方面,在多分类实验对比中,所提模型总的分类精确率、召回率以及F1值均高于其他几种单一神经网络模型。其中各攻击流量类别的总评精确率比LSTM模型提升了2.10百分点;总评召回率比LSTM模型提升了1.50百分点;总评F1值比GRU模型提升了1.97百分点,从而证明了该模型具有更好的检测效果。
Aiming at the problems of unbalanced data types and incomplete feature learning in deep learning intrusion detection,a neural network intrusion detection model based on the fusion of convolutional neural networks(CNN)and bidirectional gated recurrent unit(BiGRU)was proposed.The SMOTE-Tomek algorithm was used to balance the data set,the feature importance algorithm based on mean decrease impurity was used to realize feature selection;the CNN and BiGRU models used for feature fusion and attention mechanism was introduced for feature extraction,so as to improve the overall detection performance of the model.The intrusion detection data set CSE-CIC-IDS2018 was used for multi classification experiments,the model was compared with the classical single deep learning models.The experimental results showed that,firstly,in terms of data set balance,after being processed by SMOTE-Tomek algorithm,the recognition accuracy of DoS attacks-Slow HTTP Test class was improved from 0 to 34.66%,that of SQL Injection class was improved from 0 to 100%,and DDoS attack-LOIC-UDP,Brute Force-Web and Brute Force-XSS classes were improved by 5.22 percentage points,6.55 percentage points and 35.71 percentage points respectively.It was proved that the balanced data set improved the recognition accuracy of a few classes significantly compared with the unprocessed data set.Secondly,in terms of the overall detection performance of the model,in the comparison of multi classification experiments,the overall classification accuracy,recall and F1 value of the model in this study were higher than those of several other single neural network models.The overall evaluation accuracy of each attack traffic category was about 2.10 percentage points higher than that of the highest LSTM model.The recall rate of the overall evaluation was about 1.50 percentage points higher than that of the highest LSTM model.Compared with the highest GRU model,the overall F1 value increased by about 1.97 percentage points.It was proved that the model had better detection effect.
作者
张安琳
张启坤
黄道颖
刘江豪
李建春
陈孝文
ZHANG Anlin;ZHANG Qikun;HUANG Daoying;LIU Jianghao;LI Jianchun;CHEN Xiaowen(Engineering Training Center, Zhengzhou University of Light Industry, Zhengzhou 450001, China;College of Computer and Communication Engineering, Zhengzhou University of Light Industry, Zhengzhou 450001, China)
出处
《郑州大学学报(工学版)》
CAS
北大核心
2022年第3期37-43,共7页
Journal of Zhengzhou University(Engineering Science)
基金
国家自然科学基金资助项目(61772477)。
关键词
入侵检测
卷积神经网络
双向门控循环单元
SMOTE算法
Tomek
Links算法
intrusion detection
convolutional neural networks
bidirectional gated recurrent unit
synthetic minority over-sampling technique algorithm
Tomek Links algorithm
