计算机工程与应用 ›› 2021, Vol. 57 ›› Issue (21): 155-164.DOI: 10.3778/j.issn.1002-8331.2007-0264

• 网络、通信与安全 • 上一篇    下一篇

面向网络入侵检测的GAN-SDAE-RF模型研究

安磊,韩忠华,林硕,尚文利   

  1. 1.沈阳建筑大学 信息与控制工程学院,沈阳 110168
    2.中国科学院 沈阳自动化研究所 数字工厂研究室,沈阳 110016
    3.中国科学院 沈阳自动化研究所 工业控制网络与系统研究室,沈阳 110016
    4.中国科学院 网络化控制系统重点实验室,沈阳 110016
    5.中国科学院 机器人与智能制造创新研究院,沈阳 110016
  • 出版日期:2021-11-01 发布日期:2021-11-04

Research on GAN-SDAE-RF Model for Network Intrusion Detection

AN Lei, HAN Zhonghua, LIN Shuo, SHANG Wenli   

  1. 1.Faculty of Information and Control Engineering, Shenyang Jianzhu University, Shenyang 110168, China
    2.Department of Digital Factory, Shenyang Institute of Automation, Chinese Academy of Sciences(CAS), Shenyang 110016, China
    3.Department of Industrial Control Network and System, Shenyang Institute of Automation, Chinese Academy of Sciences, Shenyang 110016, China
    4.Key Laboratory of Network Control System, Chinese Academy of Sciences, Shenyang 110016, China
    5.Institutes for Robotics and Intelligent Manufacturing, Chinese Academy of Sciences, Shenyang 110016, China
  • Online:2021-11-01 Published:2021-11-04

摘要:

针对传统机器学习方法在处理不平衡的海量高维数据时罕见攻击类检测率低的问题,提出了一种基于深度学习的随机森林算法的入侵检测模型,为了避免传统的随机森林面对高维数据和不平衡数据时分类精度低、稳定性差和对罕见攻击类检测率低的问题,引入生成式对抗网络(GAN)和栈式降噪自编码器(SDAE)对随机森林算法(RF)进行改进。将罕见攻击类数据集输入GAN神经网络中,生成新的攻击类样本,改善网络入侵数据在样本集中不均衡分布的情况,通过堆叠深层的SDAE逐层抽取网络数据的分布规则,并结合各个编码层的系数惩罚和重构误差,来确定高维数据中与入侵行为相关的特征,基于降维后的特征数据构建森林决策树。采用UNSW-NB15数据集的实验结果表明,与SVM、KNN、CNN、LSTM、DBN方法相比,GAN-SDAE-RF整体检测准确率平均提高了9.39%、误报率和漏报率平均降低了9%和15.24%以及在少数类Analysis、Shellcode、Backdoor、Worms上检测率分别提高了26.8%、27.98%、27.85%、39.97%。

关键词: 深度学习, 生成式对抗网络, 栈式降噪自编码器, 随机森林算法

Abstract:

Aiming at the problem of low detection rate of rare attacks in traditional machine learning methods when dealing with unbalanced massive high-dimensional data, an intrusion detection model based on deep learning and random forest algorithm is proposed. In order to avoid the problems of low classification accuracy, poor stability and low detection rate of rare attacks when traditional random forests face high-dimensional data and unbalanced data, Generative Adversarial Network and Stacked Denoising Autoencoder are introduced into the Random Forest algorithm for improvement. The rare attack data set is input into the GAN neural network to generate a new attack sample to improve the uneven distribution of network intrusion data in the sample set. The deep-stacked SDAE extracts the distribution rules of the network data layer by layer, and combines the coefficient penalty and reconstruction error of each coding layer to determine the features related to the intrusion behavior in the high-dimensional data. The forest decision tree is constructed based on the characteristic data after dimension reduction.  The experimental results using the UNSW-NB15 data set show that compared with SVM, KNN, CNN, LSTM, and DBN methods, the overall detection accuracy of GAN-SDAE-RF has increased by 9.39% on average, and the FPR and FNR have decreased by 9% and 15.24% on average. The detection rates on Shellcode, Backdoor, and Worms have increased by 26.8%, 27.98%, 27.85%, and 39.97% respectively.

Key words: deep learning, generative adversarial network, stacked denoising autoencoder, random forest