| Threats and risks are increasing day by day in the cyberspace.Abnormal network traffic is one of the main threats to network security at present,and it is also the key object of network security monitoring.In recent years,machine learning technology has been widely used in intrusion detection based on abnormal network traffic with its excellent feature learning ability.However,there are still some problems,such as the traffic classification performance is very dependent on feature design,the classification of network traffic intrusion detection data set is unbalanced,and the identification accuracy of a few classes is poor.Aiming at the above problems,this paper conducts research on the representation form of the network traffic intrusion detection feature set,the treatment method of class imbalance and the selection of classifiers.The main research work is as follows:(1)Aiming at the problem that intrusion detection based on traditional machine learning methods relies on feature engineering,a feature set based on the original network traffic byte sequence is constructed for model feature learning and classification.Machine learning models were trained on byte sequence feature sets,original traffic feature sets and feature subsets obtained based on feature selection method respectively,and the classification effects of different feature sets on the models were compared.The experimental results show that the byte sequence feature sets have better detection performance than other feature sets on several typical algorithms.(2)Most network abnormal traffic intrusion detection methods based on deep learning model do not take into account the class imbalance of data sets.To solve this problem,a processing method combining category recombination technology with Focal Loss Loss Function is proposed.Category recombination technology ensured relatively balanced samples among attack classes.Focal Loss Loss function improved the model’s attention to a few category samples and complex samples by affecting the category weight.Experimental results on several deep convolutional neural network models show that the proposed method can effectively improve the identification accuracy of a few attack samples.(3)Intrusion detection based on deep learning has a high detection rate,but its training process is complex.Aiming at this problem,a network intrusion detection model based on raw traffic data combined with XGBoost algorithm is proposed,which combines raw network traffic data with ensemble classifier for the first time.Experimental results show that the training speed and accuracy of the XGBoost model are significantly better than other ensemble learning models in terms of network traffic byte sequence feature set,and the classification effect is even much higher than that of the deep convolutional neural network. |
PDF Full Text Request