Research On Network Intrusion Detection Model Based On Reinforcement Learning

With the continuous development of Internet technology and applications,the Internet has played a huge role in various fields such as commerce,economy,and military,and has become an indispensable part of the development of human society.However,while the network brings convenience to people,network security issues are becoming increasingly severe.Especially in recent years,the blowout growth of network data and the changing attack methods have brought huge challenges to network security protection.Intrusion detection,as a technical means of proactive network security protection,can detect attacks in the network in time.However,the expansion of the network scale,the emergence of new attack methods and security vulnerabilities have made it difficult for traditional intrusion detection technologies to meet people's needs for network security protection.Reinforcement learning is a branch of machine learning.Through the process of constant trial and error,an optimal strategy(that is,the best behavior taken in the current state)can be obtained for a specific problem,so that the long-term can be obtained under this strategy.Maximize returns.Based on this,based on the analysis and research of existing intrusion detection technology,this paper combines reinforcement learning and big data technology for research.The main research work of this paper is as follows:(1)An intrusion detection model based on reinforcement learning is proposed.In view of the high false alarm rate,low detection rate and low detection efficiency of traditional intrusion detection systems,the fuzzy analytic hierarchy process is introduced into the model to evaluate the credit of each user,thereby completing the construction of the credit system and credit table.Credibility is a measure of user reliability.In the intrusion detection process,the intrusion detection engine will interact with the environment.Therefore,the Markov decision process of intrusion detection is established according to the basic elements of Markov in the intrusion detection system,and in the solution of the Markov decision process,The off-track strategy Q-Learning algorithm is used to solve the problem.The core idea is to select the optimal solution of the action that can obtain a larger profit according to the Q value.In order to verify the effectiveness of the model,through experimental analysis on the KDD99 data set and comparison with traditional intrusion detection methods,the experimental results show that the model can improve the intrusion detection rate and detection efficiency,and reduce the false alarm rate of the system.The accuracy of intrusion detection is positively correlated with the size of the training set,and the model has good protocol-independent detection capabilities,which is specifically manifested in the processing advantages of unbalanced data sets.(2)Aiming at the proposed intrusion detection model based on reinforcement learning,the mainstream big data technology is adopted to design and implement an intrusion detection system.The system architecture can be divided into six modules,which are data acquisition module,message engine module,real-time calculation module,response module,offline calculation module,and data display module.The system collects access traffic information and log information(such as access logs,user logs,and system logs)of the networks,systems,or applications that need to be monitored or protected.These data are collected in real time through the Flume subsystem,and when entering Kafka messages After queuing,the collected data can be transmitted to HDFS for offline calculation,or the data can be directly transmitted to the Flink real-time calculation module.This paper adopts two methods of offline computing and online computing.The task of offline computing is to use Hive data warehouse to model and analyze log data.Online computing is a computing environment for reinforcement learning.The reinforcement learning model trained in advance for intrusion detection is placed in the Flink computing engine,and the collected traffic data is analyzed in real time,and the results are responded to through the response module.The data display module realizes the visualization of the functions of each module.The data display is conducive to the overall grasp of the operating status of the system,perception of the network situation,and is conducive to analysis and operation and maintenance.