Research on Intrusion Detection Method Based on Modified CGANs

doi:10.3969/j.issn.1671-1122.2020.05.006

Abstract

Abstract:

In recent years, more and more attention has been paid to the application of machine learning algorithms in intrusion detection systems (IDS). However, traditional machine learning algorithms rely more on known samples, so they need as many data samples as possible to train the model. Unfortunately, as more and more unknown attacks emerge and the attack samples used for training become unbalanced, traditional machine learning models may run into bottlenecks. This paper proposes an intrusion detection model combining improved conditional generation countermeasures network (CGANs) and deep neural network (DNN), namely CGANs-DNN, to improve the detection rate of the detection model against unknown attack types or only a few attack sample types by solving the problem of sample imbalance. Deep neural network (DNN) has the ability to represent the potential characteristics of data, while the improved conditional CGANs can generate new attack samples based on the specified type by learning the potential data distribution of known attack samples. In addition, compared with the unsupervised generation models such as GANs and VAE, the supervised generation model CGANs-DNN in this paper was improved by adding the gradient penalty item, which greatly improved the stability of training. In this paper, NSL-KDD data set was used to evaluate the results of the model. Compared with the traditional algorithm, the results show that CGANs-DNN not only has better performance in terms of overall accuracy, recall rate and false positives rate, but also has a higher detection rate for unknown attacks and attack types with only a few samples.

Key words: intrusion detection, generative adversarial networks, conditional GAN

CLC Number:

TP309

PENG Zhonglian, WAN Wei, JING Tao, WEI Jinxia. Research on Intrusion Detection Method Based on Modified CGANs[J]. Netinfo Security, 2020, 20(5): 47-56.

Figures/Tables 14

References 24

[1]	ZHANG Huanguo, MU Yi . Cyberspace Security[J]. China Communications, 2016,11(2):68-69.
[2]	ALI MH, MOHAMMED B A D A, ISMAIL M A B , et al. A New Intrusion Detection System Based on Fast Learning Network and Particle Swarm Optimization[J]. IEEE Access, 2018,18(6):20255-20261.
[3]	TIAN Yingjie, MIRZABAGHERI M, BAMAKAN S M H , et al. Ramp Loss One-Class Support Vector Machine; A Robust and Effective Approach to Anomaly Detection Problems[J]. Neurocomputing, 2018,310(3):223-235.
[4]	GANESHAN R, PAUL R S . I-AHSDT: Intrusion Detection Using Adaptive Dynamic Directive Operative Fractional Lion Clustering and Hyperbolic Secant-Based Decision Tree Classifier[J]. Journal of Experimental & Theoretical Artificial Intelligence, 2018,6(30):887-910.
[5]	SERPEN G , AGHAEIE. Host-Based Misuse Intrusion Detection Using PCA Feature Extraction and KNN Classification Algorithms[J]. Intelligent Data Analysis, 2018,22(5):1101-1114.
[6]	LI Deng, DONG Yu . Deep Learning: Methods and Applications[J]. Foundations and Trends in Signal Processing, 2014,7(3-4):197-387.
[7]	WONGSUPHASAWAT K, SMILKOV D, WEXLER J , et al. Visualizing Dataflow Graphs of Deep Learning Models in Tensor Flow[J]. IEEE Transactions on Visualization and Computer Graphics, 2018,24(1):1-24.
[8]	MALAIYA R K, KWON D, KIM J , et al. An Empirical Evaluation of Deep Learning for Network Anomaly Detection[J]. IEEE Access, 2018,18(7):140806-140817.
[9]	LI Chaopeng, WANG Jinlin, YE Xiaozhou . Using a Recurrent Neural Network and Restricted Boltzmann Machines for Malicious Traffic Detection[J]. Neuro Quantology, 2018,16(5):823-831.
[10]	ZHENG Wang . Deep Learning Based Intrusion Detection with Adversaries[J]. IEEE Access, 2018,18(6):38367-38384.
[11]	XIN Yang, KONG Lingshuang, LIU Zhi , et al. Machine Learning and Deep Learning Methods for Cybersecurity[J]. IEEE Access, 2018,18(6):35365-35381.
[12]	SEO E, SONG H M, KIM H K . GIDS: GAN based Intrusion Detection System for In-Vehicle Network [C]//IEEE. 16th Annual Conference on Privacy, Security and Trust (PST), August 28-30, 2018, Belfast, UK. New York: IEEE, 2018: 1-6.
[13]	GOODFELLOW I, POUGET-ABADIE J, MIRZA M et al. Generative Adversarial Nets[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.747.1316&rep=rep1&type=pdf, 2014-10-15.
[14]	GULRAJANI I, AHMED F, ARJOVSKY M , et al. Improved Training of Wasserstein GANs[EB/OL]. https://arxiv.org/pdf/1704.00028.pdf, 2017-10-15.
[15]	DHANABAL L, SHAN THARAJAH . A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classiﬁcation Algorithms[EB/OL]. https://ijarcce.com/upload/2015/june-15/IJARCCE%2096.pdf, 2015-10-15.
[16]	WANG Xiaosen, HE Kun, SONG Chuanbiao , et al. AT-GAN: A Generative Attack Model for Adversarial Transferring on Generative Adversarial Nets[EB/OL]. https://arxiv.org/pdf/1904.07793.pdf, 2020-1-15.
[17]	HU Weiwei, TAN Ying . Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN[EB/OL]. https://arxiv.org/pdf/1702.05983.pdf, 2017-10-15.
[18]	MUHAMMAD U, MUHAMMAD A, SIDDIQUE L , et al. Generative Adversarial Networks For Launching and Thwarting Adversarial Attacks on Network Intrusion Detection Systems [C]//IEEE. 15th International Wireless Communications & Mobile Computing Conference (IWCMC), June 24-28, 2019, Tangier, Morocco. New York: IEEE, 2019: 78-83.
[19]	MA Tao, WANG Fen, CHENG Jianjun , et al. A Hybrid Spectral Clustering and Deep Neural Network Ensemble Algorithm for Intrusion Detection in Sensor Networks[J]. Sensors, 2016,16(10):1701-1723.
[20]	TANG T A, MHAMDI L, MCLERNON D , et al. Deep Recurrent Neural Network for Intrusion Detection in SDN-based Networks [C]//IEEE. 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), June 25-29, 2018, Montreal, QC, Canada. New York: IEEE, 2018: 202-206.
[21]	MUNA A H, MOUSTAFA N, SITNIKOVA E , et al. Identification of Malicious Activities in Industrial Internet of Thingsbased on Deep Learning Models[J]. Journal of Information Security and Applications, 2018,41:1-11.
[22]	GUILLAUME L, FERNANDO N, CHRISTOS A . Imbalanced-Learn: A Python Toolbox to Tackle the Curse of Imbalanced Datasets in Machine learning[EB/OL]. https://hal.inria.fr/hal-01516244/document, 2017-10-15.
[23]	CHAWLA N V, BOWYER K W, HALL L O , et al. SMOTE: Synthetic Minority Over-Sampling Technique[J]. Journal of Artificial Intelligence Research, 2002,16(1):321-357.
[24]	HE Haibo, BAI Yang, GARCIA E A , et al. ADASYN: Adaptive Synthetic Sampling Approach for Imbalanced Learning [C]//IEEE. 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence), June 1-8, 2008, Hong Kong, China. New York: IEEE, 2018: 1322-1328.

	预测为攻击样本	预测为正常样本
攻击样本	TP	FN
正常样本	FP	TN

指标类型	计算方式
$Accuracy$	$\frac{TP+TN}{TP+TN+FP+FN}$
$DR$	$\frac{TP}{TP+FN}$
$Precision$	$\frac{TP}{TP+FP}$
$Recall$	$\frac{TP}{TP+FN}$
$FPR$	$\frac{FP}{FP+TN}$
F1- measure	$\frac{2\left( Precision\times Recall \right)}{Precision+Recall}\text{或}\frac{2TP}{2TP+FP+FN}$

攻击类型	分类	总计
DoS	back, land, neptune, pod, smurf, teardrop, mailbomb, processtable, udpstorm,apache2, worm	11
Probe	Satan, ipsweep, nmap, portsweep, mscan, saint	6
R2L	guess_passwd, ftp_write, imap, phf, multihop, warezmaster, xlock, xsnoop, snmpguess, snmpgetattack, httptunnel, sendmail, named, warezclient, spy	15
U2R	buffer_overflow, loadmodule, rootkit, perl, slotbacks, xterm, ps	7
总计		39

类别	KDDTrain+_20Percent		KDDTest+		KDDTest-21
	攻击类型	数量	攻击类型	数量	攻击类型	数量
Normal	normal	13449	normal	9711	normal	2152
合计	13449			9711		2152
Probe	ipsweep satan portsweep nmap	710 691 587 301	ipsweep satan portsweep nmap saint mscan	141 735 157 73 319 996	ipsweep satan portsweep nmap saint mscan	141 727 156 73 309 996
合计	2289			2421		2402
DoS	neptune smurf back teardrop pod land	8282 529 196 188 38 1	neptune smurf back teardrop pod land apache2 mailbomb processtable udpstorm	4657 665 359 12 41 7 737 293 685 2	neptune smurf back teardrop pod land apache2 mailbomb processtable udpstorm	1579 627 359 12 41 7 737 293 685 2
合计	9234			7458		4342
U2R	buffer_over?ow rootkit loadmodule	6 4 1	buffer_over?ow rootkit loadmodule perl httptunnel ps sqlattack xterm	20 13 2 2 133 15 2 13	buffer_over?ow rootkit loadmodule perl httptunnel ps sqlattack xterm	20 13 2 2 133 15 2 13
合计	11			200		200
R2L	guess_passwd warezmaster imap multihop phf ftp_write spy warezclient	10 7 5 2 2 1 1 181	guess_passwd warezmaster imap multihop phf ftp_write named sendmail xlock xsnoop worm snmpgetattack snmpguess	1231 944 1 18 2 3 17 14 9 4 2 178 331	guess_passwd warezmaster imap multihop phf ftp_write named sendmail xlock xsnoop worm snmpgetattack snmpguess	1231 944 1 18 2 3 17 14 9 4 2 178 331
合计	209			2754		2754
总计	25192			22544		11850

	节点个数	激活函数	W断开率
Dense	100	Leaky-ReLUs	0
Dense	80	Leaky-ReLUs	0
Dense	70	Leaky-ReLUs	0
Dense	70	Leaky-ReLUs	0
Dense	80	Leaky-ReLUs	0
Dense	122	/	/