Abstract:
In the dynamic field of the internet in modern life, networks are increasingly vulnerable to a diverse range of cyberattacks. Conventional intrusion detection systems based on machine learning techniques require a large number of samples for training. However, in some scenarios, only a limited number of malicious samples can be collected. To address the issue of insufficient training samples and unbalanced sample classes for intrusion detection system in real network environments, this paper proposes an intrusion detection method named DeepInsight–transfer learning–convolutional neural network (DI–TL–CNN), which is based on DI and TL. First, the DI method is used to convert the intrusion dataset into an image form suitable for CNN model input. The DI method can transform text while maintaining the semantic relationships between data points, thereby providing high-quality images. In this step, we map the 1D feature vector representation of the input data onto the 2D image representation using T-SNE and construct 2D grayscale images. In the second step, we train and optimize the VGG16 model through TL and fine-tuning, enhancing the model’s adaptability and performance. We propose six TL schemes by freezing and fine-tuning the parameters of different modules in the CNN model to enhance intrusion detection performance. In the TL process, the VGG16 model, pretrained on the ImageNet dataset, demonstrates promising results for generic image classification tasks. The bottom layers of CNN models often learn basic feature patterns that are applicable to various tasks, while the features acquired by the top layers of the model are specific to the target domain intrusion dataset. Fine-tuning allows the model to adjust the pretrained architecture’s higher-order features to better match the targeted dataset. During the training process, the bottom layers of the pretrained architecture are frozen, whereas the top layers are unfrozen for fine-tuning. The optimal intrusion detection model is determined through a comparison of the performance of the six TL schemes. Finally, the correctness and effectiveness of the proposed DI–TL–CNN method are validated on a dataset with insufficient training samples, using metrics such as accuracy, precision, recall, and F1-score. In the experiments, compared with existing state-of-the-art models for intrusion detection, the proposed method considerably enhances accuracy in the detection of network traffic data. The experimental results show that the DI–TL–CNN method is suitable for intrusion detection with small samples and unbalanced data, demonstrating the good application prospects of the method in complex networks.