Research On Network Attack Detection Technology Based On Deep Generative Model

Attack detection is a prerequisite for attack defense and plays an important role in preventing security threats and protecting the network from attacks.Over the years,attackers and defenders have been playing games.New,combined or higher-level attack modes are constantly emerging.There is a large amount of network traffic data with highdimensional features,the attack traffic data is far less than the normal traffic data,network packet loss leads to incomplete traffic features,and unknown attacks and attack variants are constantly emerging.Traditional machine learning methods suffer from low detection rates and high false alarm rates.To solve these difficulties,this dissertation combines the advantages of deep learning and generation methods to build a deep generation model,which can detect and identify attacks effectively.The main research contents and research results of this dissertation are summarized as follows:(1)Facing the problems of large amount of network traffic data and high-dimensional features,traditional classifiers suffer from low detection performance.To solve the above-mentioned problems,this dissertation proposes an attack detection model(MDPCA-DBN)which combines modified density peak clustering algorithm(MDPCA)and deep belief network(DBN).MDPCA is used to divide the original training data set into several different subsets with similar kernel space attribute sets,and each subset is used to train its own sub-DBNs classifier.These sub-DBNs classifiers can learn and explore high-level abstract features,automatically reduce data dimensionality,and perform classification well.According to the nearest neighbor criterion,the fuzzy membership weights of each test sample in each sub-DBNs classifier are calculated,and the output of all sub-DBNs classifiers is aggregated based on fuzzy membership weights.The experimental results show that,if the NSL-KDD(KDDTest+),NSLKDD(KDDTest-21)and UNSW-NB15 data sets are chosen,the overall accuracy of MDPCA-DBN can reach 82.08%,66.18%and 90.21%,respectively,and the overall detection rates can reach 70.51%,61.57%and 96.22%,respectively.(2)Aiming at the problem of low detection rate of minority attacks caused by imbalanced network traffic attack samples,this dissertation proposes a novel attack detection model(ICVAE-DNN)that uses an improved conditional variational autoencoder(ICVAE)and a deep neural network(DNN).After the ICVAE network is trained,the latent sample points sampled in the latent space and the specified minority class labels are jointly input to the trained ICVAE decoder to generate the specified minority class attack samples.According to the principle of minimum reconstruction error of similar attack samples,the newly generated attack samples that meet the reconstruction error conditions are merged into the training data set,which can increase the diversity of training samples and balancing the training data set.As a result,the detection rate of imbalanced minority attacks is improved.The trained ICVAE encoder is used to preinitialize the DNN network and extract high-level network features automatically.As a result,the DNN can be easily optimized by backpropagation and fine-tuning.Experimental results show that,ICVAEDNN outperforms the traditional seven oversampling methods,improves the detection rate of minority attacks,and achieves the overall accuracy of 85.97%,75.43%and 89.08%respectively on NSL-KDD(KDDTest+),NSL-KDD(KDDTest-21)and UNSW-NB15 data sets.(3)Aiming at the problem of low detection performance of network attack detection model caused by incomplete traffic features,a forwardreverse adversarial learning method is proposed to construct an inverter conditional generative adversarial network(ICWGANInveter),which applies to incomplete feature reconstruction and attack identification.ICWGANInveter realizes the mutual mapping between input samples and latent codes through an inverter and a generator.The inverter and generator of ICWGANInveter can reconstruct the same type of attack data with similar hidden structural features.The reconstruction error of attack data in the same category is the smallest,and the reconstruction error of attack data in different categories is larger.Therefore,the trained ICWGANInveter can not only automatically identify and detect attacks with incomplete features according to the reconstruction loss of inverter and generator,but also perform feature reconstruction based on the predicted category labels.The experimental results show that,if the KDDTest+and KDDTest-21 test sets are chosen,ICWGANInveter can achieve 89.18%and 80.32%accuracy and 89.96%and 86.99%F1-score,respectively.(4)Aiming at the problem of low detection rate of unknown network attacks,this dissertation proposes a network attack detection model(SAVAER-DNN)that combines a supervised and regularized adversarial variational autoencoder(SAVAER)with a deep neural network(DNN).The attack variant samples with similar features are generated by disturbing on the latent codes of known attack samples.The attack variant samples that meet the reconstruction error of the same class are merged into the original training data set to increase the diversity of training data.The trained SAVAER encoder is used to initialize the DNN weight parameters,so that the DNN is closer to the global optimum and easy to be trained.The newly synthesized training data set is used to train the DNN classification model,and the problem of unknown attack detection is converted into the problem of known attack detection.The above methods can improve the detection rate of unknown attacks effectively.The research results show that,SAVAER-DNN can not only detect known and unknown attacks,but also improve the detection rate of low-frequency attacks.In summary,this dissertation focuses on performing network attack detection tasks in different scenarios by using deep generative models.Experimental results show that the detection models proposed in this dissertation can effectively improve the detection performance of network attacks,and they have practical significance for the four types of scenarios mentioned above.