基于改进双重深度Q网络的入侵检测模型

doi:10.3778/j.issn.1002-8331.2105-0402

摘要/Abstract

摘要： 入侵检测技术作为网络安全有效的防御手段，是网络安全体系中的重要组成部分。随着互联网的快速发展，网络数据量快速增加，网络攻击更加趋于复杂化和多元化，目前主流的入侵检测技术无法有效识别各种攻击。针对实际网络环境中正常流量和攻击流量数据不平衡，且对攻击类流量检测率低的问题，基于深度强化学习提出一种基于改进双重深度Q网络的CBL_DDQN网络入侵检测模型。该模型将一维卷积神经网络和双向长短期记忆网络的混合网络模型引入深度强化学习的DDQN框架，并使用深度强化学习中的反馈学习和策略生成机制训练智能体来对不同类别的攻击样本进行分类，在一定程度上减弱了训练模型过程中对数据标签的依赖性。采用Borderline-SMOTE算法降低数据的不平衡度，从而提高稀有攻击的检测率。通过NSL_KDD和UNSW_NB15数据集对模型的性能进行评估，结果表明：该模型在准确率、精确率、召回率这三项指标上均取得了良好的结果，检测效果远优于Adam-BNDNN、KNN、SVM等检测方法，是一种高效的网络入侵检测模型。

关键词: 入侵检测, 深度强化学习, 双重深度Q网络, 卷积神经网络（CNN）, 长短期记忆网络（LSTM）

Abstract: As an effective defense method of network security, intrusion detection technology is an essential part of network security system. With the drastic development of the Internet, the amount of network data increases rapidly, and network attacks tend to be more complex and diversified, consequently, current intrusion detection technologies cannot identify all kinds of attacks effectively. Owing to the unbalanced problem between normal traffic and attack traffic in the real network environment and the low detection rate of attack traffic, this paper proposes a CBL_DDQN detection model based on improved double deep Q-network which is based on deep reinforcement learning. A hybrid model consisting of one-dimensional convolutional neural network and bi-directional long short-term memory network is utilized in the DDQN framework of deep reinforcement learning, then the feedback learning and strategy-generating mechanism of deep reinforcement learning is used for training the agent to classify different types of attack samples, which can greatly weaken the dependence on data labels in the process of training model. In the meantime, the Borderline-SMOTE algorithm is used to reduce data imbalance so as to improve the detection rate of rare attack traffic. The performance of the model evaluated by NSL_KDD and UNSW_NB15 datasets shows that the model performs well in accuracy, precision and recall. The detection result of the model is far better than that of Adam-BNDNN, KNN, SVM and other detection methods, which implies the intrusion detection model proposed in this paper is efficient.

Key words: intrusion detection, deep reinforcement learning, double deep Q-network, convolutional neural network（CNN）, long short-term memory network（LSTM）

吴亚丽, 王君虎, 郑帅龙. 基于改进双重深度Q网络的入侵检测模型[J]. 计算机工程与应用, 2022, 58(16): 102-110.

WU Yali, WANG Junhu, ZHENG Shuailong. Intrusion Detection Model Based on Improved Double Deep Q-Network[J]. Computer Engineering and Applications, 2022, 58(16): 102-110.

参考文献

[1] 刘敬.基于机器学习的入侵检测和告警关联关键技术研究[D].北京：北京邮电大学计算机学院，2016.
LIU J.Research on key technologies of intrusion detection and alert correlation based on machine learning[D].Beijing：School of Computer Science，Beijing University of Posts and Telecommunications，2016.
[2] ALHAKAMI W，ALHARBI A，BOUROUIS S，et al.Network anomaly intrusion detection using a nonparametric Bayesian approach and feature selection[J].IEEE Access，2019，7：52181-52190.
[3] SANDEEP V，KONDAPPAN S，JONE A A，et al.Anomaly intrusion detection using SVM and C4.5 classification with an improved particle swarm optimization （I-PSO）[J].International Journal of Information Security and Privacy，2021，15（2）：113-130.
[4] WU Y K，LEE W W，GONG X，et al.A hybrid intrusion detection model combining SAE with kernel approximation in internet of things[J].Sensors，2020，20（19）：5710.
[5] 刘月峰，王成，张亚斌，等.用于网络入侵检测的多尺度卷积CNN模型[J].计算机工程与应用，2019，55（3）：90-95.
LIU Y F，WANG C，ZHANG Y B，et al.Multiscale convolutional CNN model for network intrusion detection[J].Computer Engineering and Applications，2019，55（3）：90-95.
[6] 刘文军，郭志民，吴春明，等.基于深度学习的配电网无线通信入侵检测系统[J].电子学报，2020，48（8）：1538-1544.
LIU W J，GUO Z M，WU C M，et al.Wireless communication intrusion detection system for distribution network based on deep learning[J].Acta Electronica Sinica，2020，48（8）：1538-1544.
[7] TIAN L Y，LU Y M.An intrusion detection model based on SMOTE and convolutional neural network ensemble[J].Journal of Physics：Conference Series，2021，1828：012024.
[8] ALAEDDINE B，ABDELLAOUI A，HMINA N，et al.LSTM deep learning method for network intrusion detection system[J].International Journal of Electrical and Computer Engineering，2020，10（3）：3315-3322.
[9] 马明艳，陈伟，吴礼发.基于CNN_BiLSTM网络的入侵检测方法[J].计算机工程与应用，2022，58（10）：116-124.
MA M Y，CHEN W，WU L F.Intrusion detection method based on CNN_BiLSTM network[J].Computer Engineering and Applications，2022，58（10）：116-124.
[10] SILVER D，HUANG A，MADDISON C，et al.Mastering the game of go with deep neural networks and tree search[J].Nature，2016，529（7587）：484-489.
[11] WIERING M A，VAN HASSELT H，PIETERSMA A D，et al.Reinforcement learning algorithms for solving classification problems[C]//2011 IEEE Symposium on Adaptive Dynamic Programming and Reinforcement Learning，Paris，Apr 11-15，2011：91-96.
[12] SUWANNALAI E，POLPRASERT C.Network intrusion detection systems using adversarial reinforcement learning with deep Q-network[C]//2020 18th International Conference on ICT and Knowledge Engineering，Bangkok，Nov 18-20，2020：1-7.
[13] MNIH V，KAVUKCUOGLU K，SILVER D，et al.Human-level control through deep reinforcement learning[J].Nature，2015，518（7540）：529-533.
[14] HASSELT H V，GUEZ A，SILVER D.Deep reinforcement learning with double Q-learning[C]//29th AAAI Conference on Artificial Intelligence，Austin，Jan 25-30，2015：2094-2100.
[15] AZIZJON M，JUMABEK A，KIM W.1D CNN based network intrusion detection with normalization on imbalanced data[C]//2020 International Conference on Artificial Intelligence in Information and Communication，Fukuoka，Feb 19-21，2020：218-224.
[16] KHAN R U，ZHANG X，ALAZAB M，et al.An improved convolutional neural network model for intrusion detection in networks[C]//2019 Cybersecurity and Cyberforensics Conference，Melbourne，May 8-9，2019：74-77.
[17] HAN H，WANG W Y，MAO B H.Borderline-SMOTE：a new over-sampling method in imbalanced data sets learning[J].Advances in Intelligent Computing，2005，3644：878-887.
[18] 何梦乙，覃仁超，刘建兰，等.基于Adam-BNDNN的网络入侵检测模型[J].计算机测量与控制，2020，28（2）：58-62.
HE M Y，QIN R C，LIU J L，et al.Network intrusion detection model based on Adam-BNDNN[J].Computer Measurement & Control，2020，28（2）：58-62.
[19] HSU Y F，MATSUOKA M.A deep reinforcement learning approach for anomaly network intrusion detection system[C]//2020 IEEE 9th International Conference on Cloud Networking，Piscataway，Nov 9-11，2020：1-6.
[20] SINHA J，MANOLLAS M.Efficient deep CNN-BiLSTM model for network intrusion detection[C]//2020 3rd International Conference on Artificial Intelligence and Pattern Recognition，Xiamen，Sep 25-27，2020：224-232.