Intrusion Prediction Based On Recurrent Neural Networks

The Internet facilitates efficient information exchange,but it is also exploited by malicious attackers.At present,the more complex and concealed attacks have flooded the cyberspace,which poses a threat to network security.Although intrusion detection technology has achieved certain effects on resisting cyberspace attacks,it is essentially a passive defense mechanism without the ability to predict attack behaviors.The attack behavior prediction,a more proactive defending approach,is especially important for defending large-scale as well as high-intensity attacks in the current network environment.Traditional Hidden Markov based prediction,Game Theory based prediction and Attack Graph based prediction researches are unable to achieve accurate prediction results.In order to solve the problems in the existing attack prediction research,this thesis constructs an end-to-end intrusion prediction model based on recurrent neural networks(RNNs)by focusing on the system call sequence generated during process operation.By learning the timing dependency mapping of known system call sequences and prediction sequences,the sufficient and accurate prediction of the trajectory of network attack behavior is realized.In order to reduce the false positive rate in the abnormal intrusion detection model,this thesis proposes a training method for abnormal intrusion detection model based on predictive sequence supplementation and constructs a gated convolutional neural network model to improve the accuracy and recall of the model.In addition,this thesis uses the adversarial samples to analyze the robustness of the prediction model and adopts corresponding defense mechanism.The main results of this thesis are as follows:(1)An end-to-end attack prediction model based on RNNs is constructed.Based on the semantics nature of system call,this thesis regards the system call as the language of process and operating system interaction.The recurrent neural network language model is used to model the known sequence,and then the prediction model is constructed based on the end-to-end architecture,and the attention mechanism is used to capture the alignment relationship between the predicted sequence and the known sequence.The purpose of obtaining the attack intention is achieved by predicting the system call sequence.(2)A training method for abnormal intrusion detection model based on the prediction sequence supplement is proposed.This thesis utilizes the predicted system call sequence to supplement each training sample of the intrusion detection classifier and constructs a gated convolutional neural network model according to this method.Compared to standard training methods,predicted sequences can provide extra effective information for the model and improve the detection performance of the model.The experimental results on different intrusion detection classification models show that the models trained with our method outperform the models with the standard method.(3)Improve model robustness by analyzing adversarial samples.This thesis takes the following two solutions to ensure the robustness of our model:1)Determine the most robust optimization algorithm in model training phase by studying the robustness of the deep learning gradient descent optimization algorithms.2)Construct a new algorithm to generate system call sequence adversarial examples then use adversarial training method to improve model robustness.The above work provides a new research idea for the prediction of network attack behavior,and the intrusion detection models trained in this thesis achieve significant improvement of performance.In addition,this thesis also provides a new method for the security research of sequence models.Our works in this thesis have strong transferability and good practicability in actual network security defense.