基于网络异常的入侵检测算法研究

发布时间：2018-06-30 07:42

本文选题：入侵检测 + 深度学习　；参考：《北京交通大学》2017年硕士论文

【摘要】：网络应用的普及在给人们带来无穷便利的同时也使网络安全问题日益凸显。入侵检测技术是一种积极主动的网络安全防护技术,它可提供对内部攻击、外部攻击和误操作的实时保护,在网络系统受到攻击之前对其进行有效的拦截和阻止。论文在介绍入侵检测系统的基本概念、结构及分类和检测方法的基础上,论述了入侵检测技术,深度学习理论,基于主成分分析的数据预处理方法以及聚类算法的国内外研究现状,详细阐述了深度学习的理论、包括深度神经网络和卷积神经网络的关键模型及技术,同时分析了主成分分析和聚类两种算法的理论基础。论文的主要工作及创新点有以下三个方面:(1)在入侵检测的数据预处理阶段,本文在研究了基于主成分分析的数据特征提取方法后,提出了一种快速的多个主成分并行提取算法。该算法能够同时提取信号中的多个主成分而不需要进行额外的归一化操作,仿真实验验证了所提算法的合理性和有效性。(2)论文建立了两个深度学习模型。一为深度神经网络模型,通过应用传统BP神经网络并添加Dropout层防止过拟合,使用Mini-batch及Batch-normalization来快速收敛减少模型运行时间,使用改进的随机梯度下降(SGD)最优化方法来防止模型陷入局部极值点;二为卷积神经网络模型,通过选取卷积核与数据进行卷积操作提取特征的局部相关性来提高特征提取的准确度,通过多层"卷积层-下采样层"的处理对网络中正常行为和异常行为的特征进行深度刻画,最后通过多层感知机进行正确分类。在入侵检测领域的经典KDD 99数据集上的实验表明,论文提出的深度神经网络模型和卷积神经网络模型,与经典BP神经网络、SVM算法等相比,能有效提高入侵检测识别的分类准确性;与其它深度学习模型相比,性能也能够基本持平。(3)论文提出一混合入侵检测框架。首先将输入数据通过基于K-means的特征选择聚类模型,然后通过采用提出的多个主成分并行提取算法对数据集进行数据压缩预处理,再进入深度神经网络模型对数据进行训练。这样可以先对U2R及R2L等罕见攻击进行识别,进而使进入深度神经网络模型的数据更加准确。通过此混合入侵检测框架,不仅对整体的网络数据检测率较高,而且能够有效提高对U2R及R2L等罕见攻击的检测率。
[Abstract]:The popularity of network applications not only brings endless convenience to people, but also makes network security problems increasingly prominent. Intrusion detection technology is a proactive network security protection technology, which can provide real-time protection against internal attacks, external attacks and misoperations, and effectively intercept and prevent network systems before they are attacked. On the basis of introducing the basic concept, structure, classification and detection methods of intrusion detection system, this paper discusses the intrusion detection technology and the theory of depth learning. Based on the data preprocessing method of principal component analysis and the research status of clustering algorithm at home and abroad, the theory of depth learning is elaborated in detail, including the key models and techniques of depth neural network and convolutional neural network. At the same time, the theoretical basis of principal component analysis and clustering algorithm is analyzed. The main work and innovation of this paper are as follows: (1) in the data preprocessing phase of intrusion detection, after studying the method of feature extraction based on principal component analysis (PCA), a fast parallel extraction algorithm for multiple principal components is proposed. The algorithm can extract multiple principal components from the signal simultaneously without additional normalization operation. The simulation results show that the proposed algorithm is reasonable and effective. (2) two depth learning models are established in this paper. The first is the deep neural network model. By applying traditional BP neural network and adding Dropout layer to prevent over-fitting, Mini-batch and Batch-normalization are used to reduce the running time of the model. The improved stochastic gradient descent (SGD) optimization method is used to prevent the model from falling into local extremum. In order to improve the accuracy of feature extraction, we select convolution kernel and data to extract the local correlation of feature by convolution operation. The characteristics of normal behavior and abnormal behavior in the network are described in depth by the processing of multi-layer "convolution-down-sampling layer". Finally, the correct classification is carried out by multi-layer perceptron. Experiments on the classical KDD99 dataset in intrusion detection field show that the proposed depth neural network model and convolutional neural network model are compared with the classical BP neural network and SVM algorithm. It can effectively improve the classification accuracy of intrusion detection and recognition, compared with other depth learning models, the performance is basically the same. (3) this paper proposes a hybrid intrusion detection framework. Firstly, the input data is selected by K-means based feature clustering model, then the data set is compressed and preprocessed by using the proposed multi-principal component parallel extraction algorithm, and then the data is trained in the depth neural network model. In this way, the rare attacks such as U2R and R2L can be identified first, and then the data entering the depth neural network model can be more accurate. This hybrid intrusion detection framework not only has a high detection rate for the whole network data, but also can effectively improve the detection rate of rare attacks such as U2R and R2L.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】