Network Intrusion Detection System Based On Improved Transformer

With the increment of the business data scale and cloud computing technologies,the architecture of server clusters is transitioning towards distributed clusters,so the network intrusion pattern is also changing.However,traditional intrusion detection methods have been primarily designed for individual hosts and present several shortcomings in distributed clusters application.First,traditional feature-based network intrusion detection methods can hardly learn and obtain a high rate of missed and false detection results when dealing with new types of attacks.In addition,traditional intrusion detection systems neglect the processing of detected logs,which are more complicated and difficult to identify manually when detected in large clusters.Finally,such system designs are flawed in distributed cluster work,thus the detection results cannot be managed and displayed uniformly.To address these challenges,we first propose a network intrusion log detection method based on the improved Transformer model,which aims to reduce the false detection and leakage rate of the model detection.We also propose a novel method for named entity identification,which is based on the improved BERT model to enhance the manual identification efficiency of detected logs.Finally,we combine the improved network intrusion detection method and the log information extraction method to design a system applied to Kubernetes,which aims to achieve unified management and information aggregation of multi-node intrusion detection.The main contributions of this paper are as follows:1.We propose an adaptive residual improvement method called Adaptive Res Former.Such a method is based on the Transformer model to improve the information transfer method between Attention layers for the original model Post-LN mode.The method introduces a residual transfer path with adaptive weights between Attention layers,which reduces forgetting in the process of deep model information transfer and improves the stability of model training.The method demonstrates improved accuracy in the intrusion detection model.2.We propose a named entity recognition method based on the BERT model,called BERT-CRFAdv.The method uses the CRF method to model the sequence and calculate the probability of the labels’ output from BERT for enhancing recognition performance.In addition,we also introduce the gradient-based noise attacks into the word embedding layer to prevent the overfitting problem and improve the model’s robustness and generalization performance.The method demonstrates improved accuracy in the named entity recognition model.3.Based on the above two methods,we design an intrusion detection system applied to Kubernetes.The system collects and analyzes logs using a subsystem deployed on each node,aggregates analysis results with Loki service and displays the results in the Grafana front-end for visualization.System testing proves the effectiveness and stability of the intrusion detection system.As the experimental results show,compared with the state-of-the-art methods,our proposed method reduces information forgetting through residual connections,the number of steps required to achieve the same accuracy is reduced by 29%,and the F1 score is improved by 0.7% in the intrusion detection task.In the log key information extraction task,our named entity recognition method improves the F1 score by 1.5%.The proposed Kubernetes-based intrusion detection system implements network intrusion detection on distributed clusters,which can visualize the current network security status of the cluster and release alarm information in real-time.