基于DeepInsight和迁移学习的入侵检测技术

Network intrusion detection technology based on DeepInsight and transfer learning

  • 摘要: 针对入侵检测研究中,入侵检测训练样本较少、样本不平衡等问题,本文提出一种基于DeepInsight和迁移学习的入侵检测方法DI–TL–CNN (DeepInsight–transfer learning–convolutional neural network,DI–TL–CNN). 分析采用DeepInsight方法将入侵数据转换为适合CNN模型输入的图像数据集的过程;研究基于VGG16模型的训练方法,并进一步利用迁移学习开展目标域入侵检测的过程. 通过冻结和微调CNN模型中不同模块参数,比较研究了6种迁移方案,并基于数据集实验研究,获得优化方案. 采用以UNSW-NB15为基础的不平衡数据集作为方法验证对象,进行网络的入侵检测分析,验证本文提出的DI–TL–CNN方法的正确性;进一步实验比较研究本文提出的方法与其他方法的检测性能,实验结果表明,DI–TL–CNN方法更加适用于样本较小和不平衡数据情况下的入侵检测,其准确率和召回率等性能指标均优于其他检测方法,具有良好的应用前景.

     

    Abstract: In the dynamic field of the internet in modern life, networks are increasingly vulnerable to a diverse range of cyberattacks. Conventional intrusion detection systems based on machine learning techniques require a large number of samples for training. However, in some scenarios, only a limited number of malicious samples can be collected. To address the issue of insufficient training samples and unbalanced sample classes for intrusion detection system in real network environments, this paper proposes an intrusion detection method named DeepInsight–transfer learning–convolutional neural network (DI–TL–CNN), which is based on DI and TL. First, the DI method is used to convert the intrusion dataset into an image form suitable for CNN model input. The DI method can transform text while maintaining the semantic relationships between data points, thereby providing high-quality images. In this step, we map the 1D feature vector representation of the input data onto the 2D image representation using T-SNE and construct 2D grayscale images. In the second step, we train and optimize the VGG16 model through TL and fine-tuning, enhancing the model’s adaptability and performance. We propose six TL schemes by freezing and fine-tuning the parameters of different modules in the CNN model to enhance intrusion detection performance. In the TL process, the VGG16 model, pretrained on the ImageNet dataset, demonstrates promising results for generic image classification tasks. The bottom layers of CNN models often learn basic feature patterns that are applicable to various tasks, while the features acquired by the top layers of the model are specific to the target domain intrusion dataset. Fine-tuning allows the model to adjust the pretrained architecture’s higher-order features to better match the targeted dataset. During the training process, the bottom layers of the pretrained architecture are frozen, whereas the top layers are unfrozen for fine-tuning. The optimal intrusion detection model is determined through a comparison of the performance of the six TL schemes. Finally, the correctness and effectiveness of the proposed DI–TL–CNN method are validated on a dataset with insufficient training samples, using metrics such as accuracy, precision, recall, and F1-score. In the experiments, compared with existing state-of-the-art models for intrusion detection, the proposed method considerably enhances accuracy in the detection of network traffic data. The experimental results show that the DI–TL–CNN method is suitable for intrusion detection with small samples and unbalanced data, demonstrating the good application prospects of the method in complex networks.

     

/

返回文章
返回