| 摘要: |
| 近年来,网络应用规模迅速扩张,网络异常流量和攻击行为严重威胁网络空间安全,有效检测网络中的攻击行为成为重要研究课题。目前基于人工智能的网络入侵检测方法,已经成为网络安全领域的研究热点。现有方法大多基于深度学习方法,局限于两个问题:一是网络流量数据的维度高,特征提取难度大;二是检测模型的泛化能力较差、误报率较高。为了解决这些问题,提出了一种基于深度监督离散哈希神经网络的网络入侵检测模型,通过学习目标的哈希表示用于入侵检测。该模型包含一个轻量的多层神经网络和一个基于监督离散哈希的机器学习框架,采用交替最小化损失函数的方式加速模型收敛,学习一组可以很好保留同类网络数据相似性、反映不同类型流量之间的差异的定长哈希码,并可以通过哈希码间的汉明距离来检测网络入侵,以减少冗余特征及数据降维方法导致的信息损失对最终检测结果的影响。在入侵检测上,使用多分段索引哈希的方法查询最近邻哈希码以判别流量类型,实现快速准确的入侵检测。提出的模型在CIC-IDS2017、NSL-KDD、UNSW-NB15数据集上进行实验验证,并在准确率、误报率等度量指标上对模型的性能进行分析评价,体现了良好的检测准确性和泛化能力。学习到的二进制哈希编码可以有效反映不同类型流量之间的差异。在网络入侵检测上的准确率达到97%以上,误报率较其他检测方法有显著提升。 |
| 关键词: 网络安全 流量建模 网络入侵检测 哈希神经网络 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.07.05 |
| 投稿时间:2023-11-23修订日期:2024-01-19 |
| 基金项目:本课题得到国家重点研发计划子课题“内生安全交换机关键技术研究”(No. 2020YFB1804604)、工业互联网创新发展工程项目“工业企业网络安全综合防护平台”(No. TC200H01V)资助。 |
|
| Network Intrusion Detection with Deep Neural Network for Supervised Learning of Discrete Hash |
| XUE Yin,WEI Songjie |
| School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210000, China |
| Abstract: |
| In recent years, internet applications are expanding rapidly. Anomalous network traffic and operations seriously threaten the security of cyberspace. Detecting attacks effectively in network has become an important research topic nowadays. Applying AI in network intrusion detection has become a promising research direction. However, there are two main challenges with existing deep learning-based methods: high dimensionality of massive traffic data and poor generalization ability with high false positive rates. To address these issues, we propose a network intrusion detection model based on Deep Supervised Discrete Hash Neural Network, where the learning objective is to obtain hash representations for intrusion detection. This model consists of a lightweight multi-layer neural network and a supervised discrete hash learning framework. The model adopts an alternating minimization approach to accelerate convergence by minimizing the loss function. It learns a set of fixed-length hash codes that effectively preserve the similarity among similar network data and reflect the differences between different types of traffic. The Hamming distance between hash codes is used for intrusion detection, in order to reduce the impact of redundant features and information loss caused by data dimensionality reduction methods on the final detection results. For intrusion detection, a method called Multi-Segment Index Hashing is used to query the nearest neighbor hash codes and determine the traffic type, enabling fast and accurate intrusion detection. The proposed model is experimentally validated on the CIC-IDS2017, NSL-KDD, and UNSW-NB15 datasets, and its performance is analyzed for accuracy and false rate. The results demonstrate that the model processes good generalization and detection capabilities, and the learned binary hash codes can effectively reflect the differences between various types of traffic. The accuracy of the intrusion detection achieved by the model surpassed 97% on the tested datasets, and the false positive rate showed a significant improvement compared to the other benchmark methods. |
| Key words: network security traffic modeling, network intrusion detection hash neural network |
