Research On Network Abnormal Behavior Identification And Classification Based On Network Intrusion Small Sample Data

With the rapid development of Internet technology,the network environment is diversified and new types of attacks are constantly appearing,making it difficult for traditional network intrusion detection systems to cope with the increasingly complex network environment and massive amounts of network data.At present,the anomaly detection capability of the network intrusion detection system still needs to be improved;at the same time,the detection rate of small intrusion samples in the network intrusion data set is low.To solve the above problems,this paper proposes a hierarchical network intrusion detection model with the following main research contents.The main research content is as follows:(1)A network anomaly recognition model based on improved Denoising Auto Encoder is proposed to address the problem of insufficient network anomaly detection capability.Firstly,the model constructs a coder-decoder model through Denoising Auto Encoder to achieve feature-learning coding of normal network traffic,and introduces an attention mechanism to enhance the model's learning of key features.Secondly,we construct the anomaly determination module,design the optimal threshold-F1 selection algorithm to select the anomaly threshold,and determine the attack behavior by comparing the reconstruction error of the encoded traffic with the anomaly threshold.The Denoising Auto Encoder reduces the overfitting phenomenon of the model,the introduction of the attention mechanism improves the detection capability of the model,and the optimal threshold-F1 selection algorithm achieves the optimal performance of anomaly detection in a complex network environment.(2)For the problem of low detection rate of small intrusion samples,Convolutional Neural Networks and Light GBM anomaly classification model based on hybrid sampling are proposed.Firstly,we propose hybrid sampling to balance the network intrusion data,using K-means algorithm to undersample the large class samples and improve SMOTE algorithm to oversample the small sample data.Secondly,the balanced network traffic dataset is converted into a two-dimensional graph and the CNN network is used to automatically extract and learn the deep network traffic data features.Finally,the grid search method is used to optimize the classification weights of the Light GBM algorithm for different attack data,the CNN network and Light GBM algorithm are fused to achieve anomaly classification.The anomaly classification model reduces the impact of small sample data of the dataset on the detection effect from the data and algorithm level,it improves the detection rate of small class sample intrusion.In this paper,we experimentally evaluate the layered intrusion detection model using the NSL-KDD network intrusion dataset.Experimental results show that the introduction of the attention mechanism improves the F1 value of the anomaly recognition model by 1.22%,the optimal threshold-F1 selection algorithm improves the F1 value of the model by 0.91% compared to other threshold selection methods.The anomaly classification model,a single-class classifier that can cope with data imbalance,achieves an F1 value of 92.08% for the anomaly detection model.The hybrid sampling strategy and the classification weight optimization method improve the maximum F1 value of small class intrusion detection by 17% compared with the untreated one;the F1 value of the anomaly classification model combining CNN and Light GBM algorithm reaches 85.2%.In comparison experiments with related studies,the hierarchical network intrusion detection model has significant advantages in both intrusion detection and anomaly classification,with an overall intrusion detection F1 value of 88.39%,which significantly improves the effectiveness of intrusion detection.