Journal of Computer Applications ›› 2021, Vol. 41 ›› Issue (7): 1996-2002.DOI: 10.11772/j.issn.1001-9081.2020081217

Special Issue: 网络空间安全

• Cyber security • Previous Articles     Next Articles

Intrusion detection based on improved triplet network and K-nearest neighbor algorithm

WANG Yue, JIANG Yiming, LAN Julong   

  1. Information Engineering University, Zhengzhou Henan 450001 China
  • Received:2020-08-14 Revised:2020-12-15 Online:2021-07-10 Published:2021-01-11
  • Supported by:
    This work is partially supported by the National Key Research and Development Program of China (2018YFB0804002).

基于改进三元组网络和K近邻算法的入侵检测

王月, 江逸茗, 兰巨龙   

  1. 战略支援部队信息工程大学, 郑州 450001
  • 通讯作者: 王月
  • 作者简介:王月(1996-),女,四川眉山人,硕士研究生,主要研究方向:网络空间安全;江逸茗(1984-),男,江苏南通人,助理研究员,博士,主要研究方向:网络虚拟化、网络架构;兰巨龙(1962-),男,河北张北人,教授,博士生导师,博士,主要研究方向:新一代信息网络。
  • 基金资助:
    国家重点研发计划项目(2018YFB0804002)。

Abstract: Intrusion detection is one of the important means to ensure network security. To address the problem that it is difficult to balance detection accuracy and computational efficiency in network intrusion detection, based on the idea of deep metric learning, a network intrusion detection model combining improved Triplet Network (imTN) and K-Nearest Neighbor (KNN) was proposed, namely imTN-KNN. Firstly, a triplet network structure suitable for solving intrusion detection problems was designed to obtain the distance features that are more conducive to the subsequent classification. Secondly, due to the overfitting problem caused by removing the Batch Normalization (BN) layer from the traditional model which affected the detection precision, a Dropout layer and a Sigmoid activation layer were introduced to replace the BN layer, thus improving the model performance. Finally, the loss function of the traditional triplet network model was replaced with the multi-similarity loss function. In addition, the distance feature output of the imTN was used as the input of the KNN algorithm for retraining. Comparison experiments on the benchmark dataset IDS2018 show that compared with the Deep Neural Network based Intrusion Detection System (IDS-DNN) and Convolutional Neural Networks and Long Short Term Memory (CNN-LSTM) based detection model, the detection accuracy of imTN-KNN is improved by 2.76% and 4.68% on Sub_DS3, and the computational efficiency is improved by 69.56% and 74.31%.

Key words: network security, intrusion detection, deep learning, triplet network, K-Nearest Neighbor (KNN), Multi-Similarity loss function

摘要: 入侵检测一直以来被视作是保证网络安全的重要手段。针对网络入侵检测中检测准确率和计算效率难以兼顾的问题,借鉴深度度量学习思想,提出了改进三元组网络(imTN)结合K近邻(KNN)的网络入侵检测模型imTN-KNN。首先,设计了适用于解决入侵检测问题的三元组网络结构,以获取更有利于后续分类的距离特征;其次,为了应对移除传统模型中的批量归一化(BN)层造成过拟合进而影响检测精度的问题,引入了Dropout层和Sigmoid激活函数来替换BN层,从而提高模型性能;最后,用多重相似性损失函数替换传统三元组网络模型的损失函数。此外,将imTN的距离特征输出作为KNN算法的输入再次训练。在基准数据集IDS2018上的对比实验表明:与现有性能良好的基于深度神经网络的入侵检测系统(IDS-DNN)和基于卷积神经网络与长短期记忆(CNN-LSTM)的检测模型相比,在Sub_DS3子集上,imTN-KNN的检测准确率分别提高了2.76%和4.68%,计算效率分别提高了69.56%和74.31%。

关键词: 网络安全, 入侵检测, 深度学习, 三元组网络, K近邻, 多重相似性损失函数

CLC Number: