Intrusion Detection Method Based on Two-Layer Attention Networks

doi:10.3778/j.issn.1002-8331.2006-0220

Abstract

Abstract:

Network-based intrusion detection technology, as an important security protection means, plays an important role in timely detection of network attacks. Currently, machine learning algorithms using feature engineering are common methods for detecting and analyzing network intrusions, but manually designed features often lose important information of payload data. In addition, different data packets in the network attack traffic play different roles in intrusion detection, but most existing algorithms are not capable of capturing important information. To address the above problems, this paper proposes a new deep learning model L2-AMNN, which directly extracts the raw network traffic payload data as samples without complex feature engineering, and introduces a two-layer attention on the basis of bidirectional Long Short-Term Memory（LSTM） network to capture keyword bytes information and data packets information to generate more accurate feature vectors of intrusion detection. The experimental results show that compared with SVM, DNN, LSTM and other models, L2-AMNN improves the accuracy and detection rate of network intrusion detection by an average of 4.05% and 2.48%, and reduces the false alarm rate and miss rate by an average of 4.41% and 2.61%, and the overall detection performance is better than other similar models.

Key words: cyber security, intrusion detection, deep learning, attention mechanism, Long Short-Term Memory（LSTM）

摘要：

基于网络的入侵检测技术作为一种重要的安全防护手段，对及时发现网络攻击行为起着重要的作用。目前，采用特征工程的机器学习算法是检测分析网络入侵的常用方法，但是人工设计的特征往往会丢失有效载荷的重要信息；另外，网络攻击流量中的不同数据包信息在入侵检测中所起的作用是不同的，而现有算法大都对重要信息的捕捉能力不足。针对上述问题，提出了一种新的深度学习模型L2-AMNN，无需复杂的特征工程，直接提取原始网络流量的有效载荷数据作为样本，在双向长短时记忆神经网络基础上，引入双层注意力机制，捕获关键字节信息和数据包信息，生成更加准确的入侵检测特征向量。实验结果表明，与SVM、DNN、LSTM等模型相比，L2-AMNN对网络入侵检测的准确率、检出率平均提升了4.05%和2.48%，同时误报率、漏报率平均降低了4.41%和2.61%，总体检测性能优于其他同类模型。

关键词: 网络安全, 入侵检测, 深度学习, 注意力机制, 长短时记忆神经网络

CAO Lei, LI Zhanbin, YANG Yongsheng, ZHAO Longfei. Intrusion Detection Method Based on Two-Layer Attention Networks[J]. Computer Engineering and Applications, 2021, 57(19): 142-149.

曹磊，李占斌，杨永胜，赵龙飞. 基于双层注意力神经网络的入侵检测方法[J]. 计算机工程与应用, 2021, 57(19): 142-149.

References

[1] GIRSHICK R.Fast R-CNN[C]//2015 IEEE International Conference on Computer Vision，Santago，2015：1440-1448.
[2] HUANG G，LIU Z，LAURENS V D M，et al.Densely connected convolutional networks[C]//2017 IEEE Conference on Computer Vision and Pattern Recognition，Honolulu，2017：2261-2269.
[3] XIA Y，HE D，QIN T，et al.Dual learning for machine translation[C]//Proceedings of the the 30th Conference on Neural Information Processing Systems，Barcelona，2016：820-828.
[4] O’SHEA T J，CORGAN J，CLANCY T C.Convolutional radio modulation recognition networks[C]//Proceedings of the International Conference on Engineering Applications of Neural Networks，2016：213-226.
[5] 白芃远，许华，孙莉.基于卷积神经网络与时频图纹理信息的信号调制方式分类方法[J].西北工业大学学报，2019，37（4）：816-823.
BAI P Y，XU H，SUN L.A recognition algorithm for modulation schemes by convolution neural network and spectrum texture[J].Journal of Northwesteern Polytechnical University，2019，37（4）：816-823.
[6] SAK H，SENIOR A，BEAUFAYS F.Long short-term memory recurrent neural network architectures for large scale acoustic modeling[C]//Proceedings of the Fifteenth Annual Conference of The International Speech Communication Association，2014.
[7] 苟泽中，许华，郑万泽，等.基于半监督联合神经网络的调制识别算法[J].信号处理，2020，36（2）：168-176.
GOU Z Z，XU H，ZHENG W J，et al.Semi-supervised joint neural network based recognition algorithm of modulation signal[J].Journal of Signal Processing，2020，36（2）：168-176.
[8] DIXIT M，KWITT R，NIETHAMMER M，et al.AGA：Attribute-guided augmentation[C]//2017 IEEE Conference on Computer Vision and Pattern Recognition，2017：7455-7463.
[9] HARIHARAN B，GIRSHICK R.Low-shot visual recognition by shrinking and hallucinating features[C]//2017 IEEE International Conference on Computer Vision，2017：3037-3046.
[10] FINN C，ABBEEL P，LEVINE S.Model-agnostic meta-learning for fast adaptation of deep networks[C]//Proceedings of the 34th International Conference on Machine Learning，2017：1126-1135.
[11] SANTORO A，BARTUNOV S，BOTVINICK M，et al.Meta-learning with memory-augmented neural networks[C]//Proceedings of the 33rd International Conference on Machine Learning，2016：1842-1850.
[12] RAVI S，LAROCHELLE H.Optimization as a model for few-shot learning[C]//Proceedings of the International Conference on Learning Representations，Toulon，2017.
[13] SNELL J，SWERSKY K，ZEMEL R.Prototypical networks for few-shot learning[C]//Proceedings of the 31st Conference on Neural Information Processing Systems，2017：4080-4090.
[14] KOCH G，ZEMEL R，SALAKHUTDINOV R.Siamese neural networks for one-shot image recognition[C]//Proceedings of the ICML Deep Learning Workshop，2015.
[15] SUNG F，YANG Y，ZHANG L，et al.Learning to Compare：Relation network for few-shot learning[C]//Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognification，2017.
[16] SANDER J.LOF：Identifying density-based local outliers[J].Acmsigmod Record，2000，29（2）：93-104.
[17] O’SHEA T J，WEST N.Radio machine learning dataset generation with gnu radio[C]//Proceeding of the GNU Radio Conference，2016.
[18] HE K，ZHANG X，REN S，et al.Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition，2016：770-778.
[19] HERRMANS A，BEYER L，LEIBBE B.In defense of the triplet loss for person re-identifiction[J].arXiv：1703. 07737，2017.
[20] BISHOP C M.Pattern recognition and machine learning[M]//Information science and statistics.New York：Springer-Verlag，2006.