Journal of Computer Applications ›› 2018, Vol. 38 ›› Issue (10): 2903-2907.DOI: 10.11772/j.issn.1001-9081.2018030710

Previous Articles     Next Articles

Intrusion detection model based on hybrid convolutional neural network and recurrent neural network

FANG Yuan1, LI Ming1, WANG Ping1, JIANG Xinghe2, ZHANG Xinming2   

  1. 1. Division of Information Communication, State Grid Anhui Electric Power Company Limited, Hefei Anhui 230061, China;
    2. School of Computer Science and Technology, University of Science and Technology of China, Hefei Anhui 230027, China
  • Received:2018-04-08 Revised:2018-06-04 Online:2018-10-10 Published:2018-10-13
  • Supported by:
    This work is partially supported by National Key Research and Development Program of China (017YFC0804402).

基于混合卷积神经网络和循环神经网络的入侵检测模型

方圆1, 李明1, 王萍1, 江兴何2, 张信明2   

  1. 1. 国家电网 安徽省电力有限公司信息通信分公司, 合肥 230061;
    2. 中国科学技术大学 计算机科学与技术学院, 合肥 230027
  • 通讯作者: 张信明
  • 作者简介:方圆(1983-),男,安徽黄山人,工程师,硕士,主要研究方向:信息安全;李明(1971-),男,安徽合肥人,高级工程师,主要研究方向:信息安全;王萍(1975-),女,安徽桐城人,高级工程师,主要研究方向:信息安全;江兴何(1993-),男,安徽亳州人,硕士研究生,主要研究方向:深度学习;张信明(1964-),男,安徽天长人,教授,博士,CCF高级会员,主要研究方向:无线网络、大数据、智能电网。
  • 基金资助:
    国家重点研发计划项目(017YFC0804402)。

Abstract: Aiming at the problem of advanced persistent threats in power information networks, a hybrid Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) intrusion detection model was proposed, by which current network states were classified according to various statistical characteristics of network traffic. Firstly, pre-processing works such as feature encoding and normalization were performed on the network traffic obtained from log files. Secondly, spatial correlation features between different hosts' intrusion traffic were extracted by using deformable convolution kernels in CNN. Finally, the processed data containing spatial correlation features were staggered in time, and the temporal correlation features of the intrusion traffic were mined by RNN. The experimental results showed that the Area Under Curve (AUC) of the model was increased by 7.5% to 14.0% compared to traditional machine learning models, and the false positive rate was reduced by 83.7% to 52.7%. It indicates that the proposed model can accurately identify the type of network traffic and significantly reduce the false positive rate.

Key words: advanced persistent threat, network traffic, convolutional neural network, recurrent neural network

摘要: 针对电力信息网络中的高级持续性威胁问题,提出一种基于混合卷积神经网络(CNN)和循环神经网络(RNN)的入侵检测模型。该模型根据网络数据流量的统计特征对当前网络状态进行分类。首先,获取日志文件中网络流量的各统计值,进行特征编码、归一化等预处理工作;然后,通过深度卷积神经网络中可变卷积核提取不同主机入侵流量之间空间相关特征;最后,将已经处理好的包含空间相关特征的数据在时间上错开排列,利用深度循环神经网络挖掘入侵流量的时间相关特征。实验结果表明,该模型相对于传统的机器学习模型在曲线下方的面积(AUC)上提升了7.5%~14.0%,同时误报率降低了83.7%~52.7%。所提模型能准确地识别网络流量的类别,大幅降低误报率。

关键词: 高级持续性威胁, 网络流量, 卷积神经网络, 循环神经网络

CLC Number: