Intrusion detection model based on hybrid convolutional neural network and recurrent neural network
FANG Yuan1, LI Ming1, WANG Ping1, JIANG Xinghe2, ZHANG Xinming2
1. Division of Information Communication, State Grid Anhui Electric Power Company Limited, Hefei Anhui 230061, China; 2. School of Computer Science and Technology, University of Science and Technology of China, Hefei Anhui 230027, China
Abstract:Aiming at the problem of advanced persistent threats in power information networks, a hybrid Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) intrusion detection model was proposed, by which current network states were classified according to various statistical characteristics of network traffic. Firstly, pre-processing works such as feature encoding and normalization were performed on the network traffic obtained from log files. Secondly, spatial correlation features between different hosts' intrusion traffic were extracted by using deformable convolution kernels in CNN. Finally, the processed data containing spatial correlation features were staggered in time, and the temporal correlation features of the intrusion traffic were mined by RNN. The experimental results showed that the Area Under Curve (AUC) of the model was increased by 7.5% to 14.0% compared to traditional machine learning models, and the false positive rate was reduced by 83.7% to 52.7%. It indicates that the proposed model can accurately identify the type of network traffic and significantly reduce the false positive rate.
[1] HU P, LI H, FU H, et al. Dynamic defense strategy against advanced persistent threat with insiders[C]//INFOCOM 2015:Proceedings of the 2015 IEEE Conference on Computer Communications. Piscataway, NJ:IEEE, 2015:747-755. [2] LIANG G, WELLERS R, ZHAO J, et al. The 2015 Ukraine blackout:implications for false data injection attacks[J]. IEEE Transactions on Power Systems, 2017, 32(4):3317-3318. [3] 付钰, 李洪成, 吴晓平, 等. 基于大数据分析的APT攻击检测研究综述[J]. 通信学报, 2015, 36(11):1-14. (FU Y, LI H C, WU X P, et al. Detecting APT attacks:a survey from the perspective of big data analysis[J]. Journal on Communications, 2015, 36(11):1-14.) [4] DASH S K, REDDY K S, PUJARI A K. Adaptive Naive Bayes method for masquerade detection[J]. Security and Communication Networks, 2011, 4(4):410-417. [5] PERVEZ M S, FARID D M. Feature selection and intrusion classification in NSL-KDD cup 99 dataset employing SVMs[C]//SKIMA 2014:Proceedings of the 20148th International Conference on Software, Knowledge, Information Management and Applications. Piscataway, NJ:IEEE, 2014:1-6. [6] CAMACHO J, PEREZ-VILLEGAS A, GARCIA-TEODORO P, et al. PCA-based multivariate statistical network monitoring for anomaly detection[J]. Computers & Security, 2016, 59:118-137. [7] CHEN P, DESMET L, HUYGENS C. A study on advanced persistent threats[C]//CMS 2014:Proceedings of the 2014 IFIP International Conference on Communications and Multimedia Security. Berlin:Springer, 2014:63-72. [8] KDD cup 1999 data[EB/OL].[2018-01-20]. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. [9] LECUN Y, BOTTOU L, BENGIO Y, et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11):2278-2324. [10] GRAVES A, MOHAMED A, HINTON G. Speech recognition with deep recurrent neural networks[C]//ICASSP 2013:Proceedings of the 38th IEEE International Conference on Acoustics, Speech and Signal Processing. Piscataway, NJ:IEEE, 2013:6645-6649. [11] CHUNG J, GULCEHRE C, CHO K H, et al. Empirical evaluation of gated recurrent neural networks on sequence modeling[EB/OL].[2018-01-10]. https://arxiv.org/abs/1412.3555. [12] DAI J, QI H, XIONG Y, et al. Deformable convolutional networks[EB/OL].[2018-01-10]. http://openaccess.thecvf.com/content_ICCV_2017/papers/Dai_Deformable_Convolutional_Networks_ICCV_2017_paper.pdf. [13] ABADI M, BARHAM P, CHEN J, et al. TensorFlow:a system for large-scale machine learning[C]//OSDI 2016:Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation. Berkeley:USENIX Association, 2016:265-283. [14] Mila parkour. (2013) Contagio malware database[EB/OL].[2018-01-26]. https://www.mediafire.com/folder/c2az029ch6cke/TRAFFIC_PATTERNS_COLLECTION#734479hwy1b97. [15] Predict. (2009) DARPA Scalable Network Monitoring (SNM) Program Traffic[EB/OL].[2018-01-26]. https://ant.isi.edu/datasets/readmes/DARPA_Scalable_Network_Monitoring-20091103.README.txt.