Research On Intrusion Detection Based On Deep Learning And Association Rules

With the continuous development of network technology,methods of network attacks are gradually becoming more complex and diversified.Therefore,how to effectively detect malicious attacks on the Internet boundary and inside the terminal is of great significance for maintaining network security.The main research contents of this paper focus on two dimensions: web attack detection and host intrusion detection.The specific contents are as follows:(1)A BERT-based web attack detection method is proposed.Traditional rule-based web attack detection methods require manual addition of rules.However,with the increasing number of rules,it will consume more computing resources and reduce the detection efficiency,and unknown type of attacks cannot be identified.In recent years,as most researches on web attack detection based on deep learning only focus on the url and parameters parts of http requests,some malicious attacks that exist in the remaining fields of the http request will be omitted.Referring to the above problems,two web attack detection methods based on BERT for full detection of http requests are proposed,which also proposes improvements to BERT.Based on its pooled output,LSTM and Transformer are added behind the network to integrate features to make BERT support long text input.Both detection models use the real data set of the service website as the training set and use the test set of the real data set of the website to verify the detection effect.Then CSIC2010 public dataset is used as test set to verify the generalization ability of the model.Experimental results show that both models can effectively identify normal traffic and abnormal traffic in the real dataset of the website while ensuring the detection efficiency,and the Transformer-based detection model performs better on the two test sets.(2)A host intrusion detection method based on association rules is proposed.Traditional log analysis methods parse logs one by one through rule matching or neural network model and give detection results.Without learning the implicit correlation information between log data,it is impossible to detect intrusion behaviors that can only be found by correlation analysis of multiple logs.In response to the above problems,a host intrusion detection model based on the association rule mining algorithm Apriori is proposed.The Sot M34 data set is used as the training set for association rule mining,and the Elastic Stack technology and wazuh are used to build an intrusion detection platform for data collection,storage and visualization.Finally,the detection ability of the model is verified by combining the normal log data with the abnormal log data collected by executing automated attack tools.The experimental results show that the model can effectively detect the intrusion behavior composed of multiple log associations.