基于实体嵌入和长短时记忆网络的入侵检测方法

doi:10.7523/j.issn.2095-6134.2020.04.016

中国科学院大学学报 ›› 2020, Vol. 37 ›› Issue (4): 553-561.DOI: 10.7523/j.issn.2095-6134.2020.04.016

基于实体嵌入和长短时记忆网络的入侵检测方法

赖训飞^1,2,3,4, 梁旭文^2,3,4, 谢卓辰³, 李宗旺^3,4

1. 中国科学院上海微系统与信息技术研究所, 上海 200050;
2. 上海科技大学信息学院, 上海 201210;
3. 中国科学院上海微小卫星工程中心, 上海 201203;
4. 中国科学院大学, 北京 100049

收稿日期:2019-01-25 修回日期:2019-04-03 发布日期:2020-07-15
通讯作者: 赖训飞
基金资助:
国家自然科学基金（91738201）和上海市青年科技英才扬帆计划项目（17YF1418200）资助

Intrusion detection method based on entity embedding and long short-term memory networks

LAI Xunfei^1,2,3,4, LIANG Xuwen^2,3,4, XIE Zhuochen³, LI Zongwang^3,4

1. Shanghai Institute of Microsyst&Information Technology, Chinese Academy of Sciences, Shanghai 200050, China;
2. School of Information Science&Technology, ShanghaiTech University, Shanghai 201210, China;
3. Shanghai Engineering Center for Microsatellites, Chinese Academy of Sciences, Shanghai 201203, China;
4. University of Chinese Academy of Sciences, Beijing 100049, China

Received:2019-01-25 Revised:2019-04-03 Published:2020-07-15

摘要/Abstract

摘要： 针对网络入侵检测过程中无法有效处理入侵数据中分类变量的表示，导致网络入侵检测准确率低、漏报率高等问题，提出一种基于实体嵌入和长短时记忆网络（long short-term memory network，LSTM）相结合的网络入侵检测方法。首先，在数据预处理时，将表示网络特征数据中的数值型变量和分类型变量数据分开，通过实体嵌入方法将分类型变量数据映射在一个欧几里得空间，得到一个向量表示，再将这个向量嵌入到数值型数据后面得到输入数据。然后，通过把数据输入到长短时记忆网络中去训练，通过时间反向传播更新参数，得到最优嵌入向量作为输入特征的同时，也得到一个相对最优的LSTM网络的检测模型。在数据集NSL-KDD上进行实验验证，结果表明实体嵌入是一种有效处理网络入侵数据中分类变量的方法，它和LSTM网络相结合组成的模型能够有效提高入侵检测率。在数据预处理时对分类变量的处理中，实体嵌入方法与传统的One-Hot编码方法相比，检测的准确率提高1.44个百分点，漏报率降低2.99个百分点。

关键词: 实体嵌入, 长短时记忆网络, 入侵检测, 分类变量

Abstract: Due to the inability to effectively deal with the representation of categorical variables in intrusion data, the network intrusion detection has low accuracy and high false negative rate. A method combining entity embedding and long short-term memory network (LSTM) is proposed. First, when the data is preprocessed, the numerical variable data and categorical variable data are separated, and the categorical variable data are mapped into an Euclidean space by using the entity embedding method to obtain a vector representation and then this vector is embedded into the numeric data to get the input data. Then, by inputting the data into the long short-term memory network, the parameters are updated by time back propagation. Thus the optimal embedded vector is obtained as the input feature, and a relatively optimal detection model of the LSTM network is also obtained through training. Experiments are carried out on the data set NSL-KDD, and the results show that entity embedding is an effective method to deal with categorical variables in network intrusion data. The model composed of LSTM network effectively improves the detection rate. In the processing of categorical variables, the accuracy of detection using entity embedding method increases by 1.44 percentage points and the false negative rate decreases by 2.99 percentage points, compared with those using the traditional One-Hot coding method.

Key words: entity embedding, LSTM, intrusion detection, categorical variables

中图分类号:

TP393.08

赖训飞, 梁旭文, 谢卓辰, 李宗旺. 基于实体嵌入和长短时记忆网络的入侵检测方法[J]. 中国科学院大学学报, 2020, 37(4): 553-561.

LAI Xunfei, LIANG Xuwen, XIE Zhuochen, LI Zongwang. Intrusion detection method based on entity embedding and long short-term memory networks[J]. , 2020, 37(4): 553-561.

参考文献

[1] Yu D. Research on anomaly intrusion detection technology in wireless network[C]//2018 International Conference on Virtual Reality and Intelligent Systems. IEEE, 2018:540-543.
[2] Akoglu L, Tong H, Vreeken J, et al. Fast and reliable anomaly detection in categorical data[C]//Proceedings of the 21st ACM International Conference on Information and Knowledge Management. ACM, 2012:415-424.
[3] 和湘, 刘晟, 姜吉国. 基于机器学习的入侵检测方法对比研究[J]. 信息网络安全, 2018, 18(5):1-11.
[4] 魏书宁, 陈幸如, 唐勇, 等. AR-HELM算法在网络流量分类中的应用研究[J]. 信息网络安全, 2018, 18(1):9-14.
[5] Tang T A, Mhamdi L, McLernon D, et al. Deep recurrent neural network for intrusion detection in sdn-based networks[C]//20184th IEEE Conference on Network Softwarization and Workshops. IEEE, 2018:202-206.
[6] Yin C, Zhu Y, Fei J, et al. A deep learning approach for intrusion detection using recurrent neural networks[J]. IEEE Access, 2017, 5:21954-21961.
[7] Staudemeyer R C. Applying long short-term memory recurrent neural networks to intrusion detection[J].South African Computer Journal, 2015, 56(1):136-154.
[8] Tang T A, Mhamdi L, McLernon D, et al. Deep learning approach for network intrusion detection in software defined networking[C]//Wireless Networks and Mobile Communications, 2016 International Conference on. IEEE, 2016:258-263.
[9] Vinayakumar R, Soman K P, Poornachandran P. Applying convolutional neural network for network intrusion detection[C]//Advances in Computing, Communications and Informatics, 2017 International Conference on. IEEE, 2017:1222-1228.
[10] Potdar K, Pardawala T S, Pai C D. A comparative study of categorical variable encoding techniques for neural network classifiers[J]. International Journal of Computer Applications, 2017, 175(4):7-9.
[11] Guo C, Berkhahn F. Entity embeddings of categorical variables[J]. arXiv preprint arXiv:1604.06737, 2016.
[12] 於帮兵, 王华忠, 颜秉勇. 基于长短时记忆网络的工业控制系统入侵检测[J]. 信息与控制, 2018, 47(1):54-59.
[13] Dhanabal L, Shantharajah S P. A study on NSL-KDD dataset for intrusion detection system based on classification algorithms[J]. International Journal of Advanced Research in Computer and Communication Engineering, 2015, 4(6):446-452.
[14] Shijia E, Xiang Y. Entity search based on the representation learning model with different embedding strategies[J]. IEEE Access, 2017,5:15174-15183.
[15] Wu F, Song J, Yang Y, et al. Structured embedding via pairwise relations and long-range interactions in knowledge base[C]//AAAI. 2015:1663-1670.
[16] Yuan M, Wu Y, Lin L. Fault diagnosis and remaining useful life estimation of aero engine using LSTM neural network[C]//Aircraft Utility Systems, IEEE International Conference on. IEEE, 2016:135-140.
[17] De Brébisson A, Simon É, Auvolat A, et al. Artificial neural networks applied to taxi destination prediction[J]. arXiv preprint arXiv:1508.00021, 2015.
[18] Dai H, Dai B, Song L. Discriminative embeddings of latent variable models for structured data[C]//International Conference on Machine Learning, 2016:2702-2711.
[19] Amihai I, Chioua M, Gitzel R, et al. Modeling machine health using gated recurrent units with entity embeddings and K-means clustering[C]//2018 IEEE 16th International Conference on Industrial Informatics. IEEE, 2018:212-217.
[20] Vinayakumar R, Soman K P, Poornachandran P. Long short-term memory based operation log anomaly detection[C]//Advances in Computing, Communications and Informatics, 2017 International Conference on. IEEE, 2017:236-242.
[21] Duan L, Xiao Y. An Intrusion Detection model based on fuzzy C-means algorithm[C]//20188th International Conference on Electronics Information and Emergency Communication. IEEE, 2018:120-123.

基于实体嵌入和长短时记忆网络的入侵检测方法

Intrusion detection method based on entity embedding and long short-term memory networks

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	尹芷仪, 沈嘉荟, 郭晓博, 查达仁. 一种基于参数污点分析的软件行为模型[J]. 中国科学院大学学报, 2017, 34(5): 647-656.
[2]	王卫平; 朱卫未; 陈文惠; 梁樑. 基于网络的入侵检测系统数据包采样策略研究[J]. 中国科学院大学学报, 2006, 23(4): 534-542.
[3]	连一峰. 分布式入侵检测系统的协作交互研究[J]. 中国科学院大学学报, 2005, 22(2): 202-209.
[4]	连一峰, 戴英侠, 王航. 托管式安全监控系统[J]. 中国科学院大学学报, 2001, 18(2): 167-171.