Research Of Network Intrusion Detection Method Based On Deep Learning

With the continuous development of computer networks,network security issues have become increasingly prominent,and network intrusion detection(IDS)technology is one of the key technologies to ensure network security.The traditional rule-based intrusion detection methods have the disadvantages of relying on manual intervention,difficult to update the rule database in time,and challenging to detect unknown intrusion.In this thesis,we studied the network intrusion detection method based on deep learning,and extracted the inevitable information traces in the process of network intrusion through deep neural networks,then proposed corresponding detection methods for different network intrusion scenarios.Firstly,we considered the information traces of common network intrusion are usually time-related and proposed an IDS that consists of a recurrent neural network with gated recurrent units(GRU)and a multilayer perceptron(MLP).The deep learning method was used to train it to extract and filter features automatically.Experiments on the well-known KDD 99 and NSL-KDD datasets show that the proposed system has a leading performance with bidirectional gated recurrent units and multilayer perceptron.The overall detection rate is up to 99.42%and 99.24%,and the false positive rate is low to 0.05%and 0.84%,respectively.The results outperformed the previous studies.Secondly,we studied the key elements of communication in botnets,which are composed of zombie hosts controlled by malware:the domain names generated by the domain generation algorithm(DGA).In order to detect DGA domain names effectively,we proposed a detection method based on semantic expression,and implemented an n-gram combined character based domain classification(n-CBDC)network model.The semantic expression of a domain name was implemented by n-gram representation and a deep convolutional neural network,which enabled end-to-end detection of DGA domain names.Different types of real DGA domain names and normal domain names were used to build a labeled dataset to evaluate the proposed detection method.The results show that the proposed detection method can effectively detect multiple types of DGA domain names.The average detection rate reached 98.69%and the average F-measure reached 0.9829.Compared with the related work,the proposed method significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89%detection rate.It is proved that the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.Thirdly,we also considered the scenario where security agencies can only intercept a few shots of malicious samples for intrusion detection,that is,the zero-day attack scenario.A method of few-shot network intrusion detection was proposed based on a meta-learning framework.The proposed method took comparing and distinguishing a pair of network traffic samples as a task of learning,wherein the pair of samples consisted of a normal sample without attack and a malicious sample.We designed a deep neural network named FC-Net composed of an F-Net for feature extraction and a C-Net for comparison to accomplish such a task.FC-Net can acquire enough prior knowledge from a large number of samples through meta-training,then detect new types of attacks with only a few shots of samples.In order to evaluate the proposed method,we also proposed a method to construct datasets for few-shot network intrusion detection from real network traffic,and two datasets for few-shot detection were constructed from public network traffic data sources.Training and testing on the same datasets show that the average detection rate of the proposed method is up to 98.88%.Training on one dataset and testing on the other dataset show that the proposed method can achieve better performance.In the few-shot scenario,the malicious samples in the untrained dataset can be detected,and the average detection rate is up to 99.62%.Finally,the low-rate denial of service(LDoS)attack was studied.Due to the strong concealment,the traditional signal analysis-based method is difficult to detect the LDoS attack traffic hiding in the fluctuating normal traffic.A detection method based on a hybrid deep neural network was proposed using the time statistics of network traffic.We implemented the detection system with a one-dimensional convolutional neural network and gated recurrent units.In order to evaluate the proposed method in a real and effective way,we designed a network traffic capture system to obtain real traffic from the website of a university,and selected the part that does not contain attacks as normal traffic,then performed various types of real attacks on the mirrored website in the laboratory environment.The detection results show that the proposed method can effectively detect various types of LDoS attacks in the fluctuating HTTP traffic with enough samples.The average detection rate reaches 98.68%.In the few-shot scenario,the average detection rate of the proposed detection method is 89.54%.Further experimental analysis shows that the proposed detection method can also detect HTTPS LDoS attacks in encrypted traffic,with an average detection rate of 95.85%.