Intrusion detection is one of the important means to ensure network security. To address the problem that it is difficult to balance detection accuracy and computational efficiency in network intrusion detection, based on the idea of deep metric learning, a network intrusion detection model combining improved Triplet Network (imTN) and K-Nearest Neighbor (KNN) was proposed, namely imTN-KNN. Firstly, a triplet network structure suitable for solving intrusion detection problems was designed to obtain the distance features that are more conducive to the subsequent classification. Secondly, due to the overfitting problem caused by removing the Batch Normalization (BN) layer from the traditional model which affected the detection precision, a Dropout layer and a Sigmoid activation layer were introduced to replace the BN layer, thus improving the model performance. Finally, the loss function of the traditional triplet network model was replaced with the multi-similarity loss function. In addition, the distance feature output of the imTN was used as the input of the KNN algorithm for retraining. Comparison experiments on the benchmark dataset IDS2018 show that compared with the Deep Neural Network based Intrusion Detection System (IDS-DNN) and Convolutional Neural Networks and Long Short Term Memory (CNN-LSTM) based detection model, the detection accuracy of imTN-KNN is improved by 2.76% and 4.68% on Sub_DS3, and the computational efficiency is improved by 69.56% and 74.31%.

It is a hot research topic to solve the low performance of Virtual Network Function (VNF) in SDN/NFV (Software Defined Networking/Network Function Virtualization) architecture by designing hardware acceleration mechanism. After introducing the hardware acceleration resources to VNF, how to control and deploy these acceleration resources has been an urgent problem. To solve the problems above, a uniform hardware acceleration management architecture based on the accelerator cards on servers and OpenFlow switches was proposed. Based on this architecture, the model of acceleration resource deployment was built, and the evaluation indicators for the resource deployment mechanism was proposed by analyzing the impact of acceleration resources on service chain mapping. Finally, a two-stage acceleration resource deployment algorithm was designed. The experimental results show that, compared with Single-attribute Acceleration Resource Deployment algorithm (SARD) and Uniform Acceleration Resource Deployment algorithm (UARD), the proposed mechanism can optimize the deployment of the acceleration resources and improve the total traffic handled by acceleration resources and the utilization of acceleration resources by 41.4% and 14.5% respectively.

Aiming at the low recovery efficiency by using the traditional re-mapping failure recovery algorithm and prolonged interruption of service, a Fault Recovery Algorithm based on Equivalent Resource (FRA-ER) was proposed. The FRA-ER converted the recovery problem to finding equivalent resource problem, achieving to recovery all or part of the fault RSCNs by once. A Network Reconfigure Algorithm (NRA) was also proposed to detect and regulate the RSCNs periodically to optimize their architectures and reduce the costs. Finally, the numerical results show that the proposed FRA-ER could achieve 15% recovery time reduction compared with conventional overall re-mapping algorithm and fast recovery algorithm. The NRA could achieve 80 band reduction on average, improving the recovery success ratio by 10%.

Real network traffic contains mass of features, and the method of anomaly detection based on feature analysis is not suitable for high-dimensional features classification. A method based on Principal Component Analysis and tabu Tabu Search (PCA-TS) decision tree classification for anomaly detection was proposed. The method reduced high-dimensional features and selected optimal feature subset which was suitable for classification through PCA-TS algorithm, then the decision tree of higher detection rate and lower false rate was used for classification and detection based on semi-supervised learning. The experiment shows that the approach has higher detection accuracy and lower false rate compared with traditional anomaly detection method, and the detection performance is less affected by sample size and is suitable for real-time detection of unknown anomalies.