基于联合注意力机制和一维卷积神经网络-双向长短期记忆网络模型的流量异常检测方法

A Traffic Anomaly Detection Method Based on the Joint Model of Attention Mechanism and One-Dimensional Convolutional Neural Network-Bidirectional Long Short Term Memory

针对流量数据集中类别不平衡限制了分类模型对少数类攻击流量的检测性能这一问题,该文提出一种基于联合注意力机制和1维卷积神经网络-双向长短期记忆网络(1DCNN-BiLSTM)模型的流量异常检测方法。首先在数据预处理过程中利用BorderlineSMOTE方法对流量数据不平衡训练样本预处理,使得各类流量数据均衡,有助于后续模型对各类数据的充分训练。然后设计联合注意力机制和1DCNN-BiLSTM的模型对流量数据进行训练,提取流量数据的局部和长距离序列特征并进行分类,通过注意力机制将对分类有用的特征按其重要性赋予权值,提高对少数攻击类的检出率。实验结果表明,同几种现有方法相比,该文方法对NSL-KDD和CICIDS2017数据集的检测准确率最高(可达93.17%和98.65%),对NSL-KDD数据集中的提权攻击(U2R)攻击流量的检出率至少提升13.70%,证明了该文方法提升少数类攻击流量检出率的有效性。

Considering the problem that the class imbalance of traffic dataset limits the performance of the model to the minority class attack traffic,a traffic anomaly detection method based on the joint model of attention mechanism and One-Dimensional Convolutional Neural Network-Bidirectional Long Short Term Memory(1DCNN-BiLSTM)is proposed.First,in the data preprocessing,the BorderlineSMOTE method is used to preprocess the imbalanced traffic training data,so that the quantities of different categories are balanced,which is helpful for the model to train various types fully.Then,the joint model of attention mechanism and 1DCNN-BiLSTM is designed to extract the local and long-distance sequence features of the traffic data.The features useful for classification are assigned weights according to their importance through the attention mechanism,which makes the model improve the detection rate of attack classes.Experimental results show that the proposed method has the highest accuracy for NSL-KDD and CICIDS2017 datasets(up to 93.17%and 98.65%).The proposed method improves the detection rate of User to Root(U2R)attack traffic in NSL-KDD dataset by at least 13.70%,which proves the effectiveness of the proposed method in improving the detection rate of minority attack traffic.