An Approach For Few-shot Network Intrusion Detection Based On Self-supervised Learning

With the rapid development of the Internet and the rapid growth of the size of the network,numerous different types of attacks are emerging.These new attacks are becoming more threatening,and the means of attack are changing with each passing day,posing challenges for network security monitoring and maintenance.Network intrusion detection has been developed for decades as an effective means to deal with cyber threats.Researchers have proposed many new methods and explored many new techniques for different types of intrusion traffic,but most of the network intrusion detection models do not achieve as good detection results in real-world network environments as in laboratory environments.This is because different types of intrusion traffic continuously evolve with the passage of time,and new intrusion attacks are continuously generated.The original sample data used for model training gradually fails,and real-time reliable sample data is always very rare.How to perform accurate and effective network intrusion detection in the few-shot or zero-shot scenarios is a great challenge for researchers in the field of network intrusion detection and has become a current frontier research topic.The main research contents of this thesis are as follows:(1)Aiming at the problem that there are numerous types of network attacks and few label data in real networks,this thesis proposes a self-supervised few-shot intrusion detection model CAEG based on multi-stage training.The model firstly makes the backbone network capable of sample generation by adding random disturbance,and then makes use of multi-stage pre-training task to enable the backbone network to effectively learn the characteristics of samples,thus achieving accurate intrusion detection effect only by relying on a tiny amount of labeled data.(2)In view of the lack of real-time labeled data for new or variant attacks in real networks,this thesis proposes a few-shot intrusion detection model SPN based on selfsupervised prototype network.In this model,the original classification problem is transformed into a measurement learning problem by using prototype network in metalearning,and the construction process of prototype points is redefined by the newly designed soft K-means and soft masking algorithm,so that a large number of unlabeled data can be introduced to participate in training on the basis of a tiny amount of labeled data.The SPN model not only achieves excellent intrusion detection performance in the few-shot scenario,but also has the ability to identify unknown intrusion attacks in the zero-shot scenario.(3)In order to meet the needs of intrusion detection in real network environment,this thesos designs and implements a multi-scene self-supervised network intrusion detection fusion framework.The proposed framework integrates CAEG model,SPN model and CAEG-SPN-Merge model to detect network traffic with high accuracy and low latency in the all-shot,few-shot and zero-shot scenarios.A series of experimental results on the CICIDS2017 and UNSW-NB15 datasets demonstrate that the three proposed models can accurately detect known attacks in the few-shot scenario with 96%accuracy.Meanwhile,the unknown intrusion attack can be detected efficiently in the zeroshot scenario with a detection rate of more than 93 percent.