Intrusion detection method, system, equipment and readable storage medium

文档序号：49839 发布日期：2021-09-28 浏览：37次中文

阅读说明：本技术 一种入侵检测方法、系统、设备及可读存储介质 (Intrusion detection method, system, equipment and readable storage medium ) 是由王振东徐振宇李大海杨书新王俊岭于 2020-11-12 设计创作，主要内容包括：本申请实施例公开了一种入侵检测方法、系统、设备及可读存储介质,通过DRN残差块结构,将卷积层替换为全连接层,简化网络结构、加速训练过程；将跳层连接之后的激活函数层移至跳层连接之前,更有效地解决了梯度消失、梯度爆炸与网络“退化”问题；为了提升SAE-DRN检测算法的泛化能力,使用EBAS优化SAE-DRN算法的网络层数以及各层神经网络中神经元的个数。为避免EBAS算法陷入局部最优,设计了全方位变步长搜索算法、最优位置更新策略以及回溯式步长更新法则。实验结果表明,SAE-DRN入侵检测算法能够很好适应各种入侵检测数据集,有效提升入侵检测的准确率、精确度、召回率与F1值,降低入侵检测的误判率。(The embodiment of the application discloses an intrusion detection method, a system, equipment and a readable storage medium, wherein a convolution layer is replaced by a full-link layer through a DRN residual block structure, so that a network structure is simplified, and a training process is accelerated; the activation function layer after the jump layer connection is moved to the position before the jump layer connection, so that the problems of gradient disappearance, gradient explosion and network degradation are solved more effectively; in order to improve the generalization capability of the SAE-DRN detection algorithm, the number of network layers of the SAE-DRN algorithm and the number of neurons in each layer of neural network are optimized by using EBAS. In order to avoid the EBAS algorithm from being trapped in local optimization, an all-round variable step size search algorithm, an optimal position updating strategy and a backtracking type step size updating rule are designed. Experimental results show that the SAE-DRN intrusion detection algorithm can be well adapted to various intrusion detection data sets, the accuracy, precision, recall rate and F1 value of intrusion detection are effectively improved, and the misjudgment rate of intrusion detection is reduced.)

1. An intrusion detection method, the method comprising:

step 1: determining the number of problem clusters according to task properties, constructing an all-directional variable step length search algorithm based on the problem clusters, and initializing the optimization direction, the optimization times, the iteration step length and a decay factor lambda of the step length after each iteration of the longicorn;

step 2: executing an EBAS algorithm and outputting a super parameter, transmitting the super parameter output by the EBAS algorithm into an SAE module and a DRN module, and determining the number of network layers and the number of neurons in each layer in the SAE module and the DRN module;

and step 3: normalization processing is carried out on different intrusion detection data sets to obtain a mixed and normalized data set X;

and 4, step 4: inputting the data set X to the SAE module and pre-training the SAE module;

and 5: inputting the characteristic data of the data set X obtained in the step 4 into the DRN module, and training the DRN module;

step 6: adjusting parameters layer by layer, calculating and returning loss values of a training set and a cross validation set, taking the loss values as objective function values of the EBAS module, and updating relevant parameters of the EBAS module;

and 7: repeatedly executing the step 3 to the step 6 until an iteration termination condition of the EBAS module is triggered to obtain the optimal parameters of the SAE-DRN neural network;

and 8: and transmitting the optimal parameters to the SAE module and the DRN module, training the optimal parameters, and verifying an actual intrusion detection data set after training.

2. The method of claim 1, wherein the EBAS algorithm is implemented by the following steps:

step a: initializing parameters of the EBAS algorithm, wherein the parameters comprise the number M of problem clusters and the optimizing dimension n of each problem cluster, and initializing the sensing directions dir of M longicorn and the distance d between two antennae of the longicorn according to the values of M and n₀Optimizing times N, iteration step length L and a decay factor lambda of the step length after each iteration;

step b: respectively calculating left and right antenna positions X in the sensing direction of each longicorn_lAnd X_rAnd substituting the calculated objective function values cost into the objective function to calculate the objective function values cost of the left and right antenna positions_l、cost_r；

Step c: calculating the next updated position X of the longicorn according to the left and right antenna objective function values, and calculating a new objective function value cost _ nest;

step d: comparing the cost_l、cost_rSelecting an optimal value as a current optimal objective function value, recording the position of the longicorn at the moment, and updating the position according to an optimal position updating strategy;

step e: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule;

step f: and c, repeatedly executing the steps b, c, d and e until an iteration stop condition is met.

3. The method of claim 1, wherein in step 6, the loss function used in processing the two-class problem is:

the penalty function used in dealing with the multi-classification problem is:

wherein the content of the first and second substances,tag value, y, representing a sample_iThe predicted value is represented by a value of the prediction,tag value, y, representing class m samples_imProbability value representing the prediction of the sample by the classifier to the m-th class, n representing the number of samples, m representing the number of samplesAnd (4) classifying the number.

4. The method of claim 1, wherein in step 1, the number of problem clusters is determined according to task properties, and the problem cluster-based omni-directional variable step size search algorithm is constructed, comprising:

the searching direction of the initialized omnibearing variable-step-size longicorn is calculated according to the following formula:

d_i＝rands(1，n_i)

dir_i＝d_i/norm(d_i)

i denotes the ith problem cluster, n_iDimension representing the problem to be optimized on the ith problem cluster, d_iRepresenting a random vector which has the same optimizing direction as that of the ith problem cluster in the direction and has the same dimensionality as the problem to be optimized in the ith problem cluster in the dimensionality; dir_i＝d_i/norm(d_i) Will d_iConverted into a unit vector.

5. An intrusion detection system, the system comprising:

the data processing module is used for determining the number of problem clusters according to task properties, constructing an all-dimensional variable step size searching algorithm based on the problem clusters, and initializing the optimizing direction, optimizing times, iteration step size and a decay factor lambda of the step size after each iteration of the longicorn;

the EBAS optimizing module is used for executing an EBAS algorithm and outputting the super parameters, transmitting the super parameters output by the EBAS algorithm into the SAE module and the DRN module, and determining the number of network layers and the number of neurons in each layer in the SAE module and the DRN module; normalization processing is carried out on different intrusion detection data sets to obtain a mixed and normalized data set X;

an SAE-DRN training module for inputting the data set X to the SAE module and pre-training the SAE module; inputting the obtained characteristic data of the data set X into the DRN module, and training the DRN module; adjusting parameters layer by layer, calculating and returning loss values of a training set and a cross validation set, taking the loss values as objective function values of the EBAS module, and updating relevant parameters of the EBAS module; repeatedly executing until an iteration termination condition of the EBAS module is triggered to obtain the optimal parameters of the SAE-DRN neural network; and transmitting the optimal parameters to the SAE module and the DRN module, training the optimal parameters, and verifying an actual intrusion detection data set after training.

6. The system of claim 5, wherein the EBAS optimization module is specifically configured to: the EBAS algorithm is specifically realized by the following steps:

Step c: calculating the next updated position X of the longicorn according to the left and right antenna objective function values, and calculating a new objective function value cost _ nest;

step e: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule;

step f: and c, repeatedly executing the steps b, c, d and e until an iteration stop condition is met.

7. The system of claim 5, wherein the SAE-DRN training module is specifically configured to:

the penalty function used in dealing with the two-class problem is:

the penalty function used in dealing with the multi-classification problem is:

wherein the content of the first and second substances,tag value, y, representing a sample_iThe predicted value is represented by a value of the prediction,tag value, y, representing class m samples_imThe probability value representing the probability that the classifier predicts the sample as the mth class, n represents the number of samples, and m represents the number of classifications.

8. The system of claim 5, wherein the data processing module is specifically configured to:

the searching direction of the initialized omnibearing variable-step-size longicorn is calculated according to the following formula:

d_i＝rands(1，n_i)

dir_i＝d_i/norm(d_i)

9. An apparatus, characterized in that the apparatus comprises: the device comprises a data acquisition device, a processor and a memory;

the data acquisition device is used for acquiring data; the memory is to store one or more program instructions; the processor, configured to execute one or more program instructions to perform the method of any of claims 1-4.

10. A computer-readable storage medium having one or more program instructions embodied therein for performing the method of any of claims 1-4.

Technical Field

The embodiment of the application relates to the technical field of artificial intelligence, in particular to an intrusion detection method, system, equipment and readable storage medium.

Background

While the network technology is developed at a high speed, computer viruses and network intrusion come together, which brings great challenges to network security. With the continuous improvement of the technical level of attackers, network attacks are more and more concealed, the brought harm is more and more, and how to discover and resist the network attacks becomes a core problem for network security personnel. An Intrusion Detection System (IDS) can effectively identify abnormal Intrusion information through network data analysis, so that Intrusion data are intercepted, and the success rate of network attack is greatly reduced. Unlike other network security systems, the IDS belongs to an active network security protection technology, and detects network intrusion data in near real time, and can activate defensive measures when a threat is generated, thereby avoiding further expansion of the scope of security threat, and thus reducing the harm caused by the network security threat to the minimum, so the IDS is a very important technology in terms of network security protection.

At present, relevant scholars at home and abroad deeply research intrusion detection algorithms and provide various intrusion detection algorithms, the used methods comprise machine learning, mathematical statistics, neural networks, genetic evolution and the like, and the intrusion detection algorithms are widely applied to different fields of traditional internet, internet of things, industrial internet and the like, so that effective early warning and evaluation on different network security events are realized. However, the conventional method generally has the defects of sensitive noise data, overfitting, high algorithm complexity and the like, and part of methods are weak in generalization capability and difficult to adapt to the difference and the diversity of network attack types and attack methods.

Disclosure of Invention

Therefore, an intrusion detection method, system, device and readable storage medium are provided in the embodiments of the present application, and are an intrusion detection algorithm (SAE-DRN) based on a combination of a Sparse Auto Encoder (SAE) and a Deep Residual Network (DRN). A DRN residual block structure is redesigned, and the convolution layer is replaced by a full connection layer, so that a network structure is simplified, and the training process is accelerated; the activation function layer after the jump layer connection is moved to the position before the jump layer connection, so that the problems of gradient disappearance, gradient explosion and network degradation are solved more effectively; in order to improve the generalization capability of the SAE-DRN detection algorithm, an improved Tianniu whisker Search algorithm (EBAS) is designed based on a Beetle whisker Search algorithm (BAS), and the EBAS is used for optimizing the number of network layers of the SAE-DRN algorithm and the number of neurons in each layer of neural network. In order to avoid the EBAS algorithm from being trapped in local optimization, an all-round variable step size search algorithm, an optimal position updating strategy and a backtracking type step size updating rule are designed. Experimental results show that the SAE-DRN intrusion detection algorithm can be well adapted to various intrusion detection data sets, the accuracy, precision, recall rate and F1 value of intrusion detection are effectively improved, and the misjudgment rate of intrusion detection is reduced.

In order to achieve the above object, the embodiments of the present application provide the following technical solutions:

according to a first aspect of embodiments of the present application, there is provided an intrusion detection method, including:

and step 3: normalization processing is carried out on different intrusion detection data sets to obtain a mixed and normalized data set X;

and 4, step 4: inputting the data set X to the SAE module and pre-training the SAE module;

and 5: inputting the characteristic data of the data set X obtained in the step 4 into the DRN module, and training the DRN module;

and 7: repeatedly executing the step 3 to the step 6 until an iteration termination condition of the EBAS module is triggered to obtain the optimal parameters of the SAE-DRN neural network;

and 8: and transmitting the optimal parameters to the SAE module and the DRN module, training the optimal parameters, and verifying an actual intrusion detection data set after training.

Optionally, the specific implementation steps of the EBAS algorithm are as follows:

Step c: calculating the next updated position X of the longicorn according to the left and right antenna objective function values, and calculating a new objective function value cost _ nest;

step e: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule;

step f: and c, repeatedly executing the steps b, c, d and e until an iteration stop condition is met.

Optionally, in the step 6, the loss function used in processing the two-class problem is:

the penalty function used in dealing with the multi-classification problem is:

wherein the content of the first and second substances,tag value, y, representing a sample_iThe predicted value is represented by a value of the prediction,tag value, y, representing class m samples_imThe probability value representing the probability that the classifier predicts the sample as the mth class, n represents the number of samples, and m represents the number of classifications.

Optionally, in step 1, the determining the number of problem clusters according to task properties, and constructing an omnidirectional variable-step-size search algorithm based on the problem clusters includes:

the searching direction of the initialized omnibearing variable-step-size longicorn is calculated according to the following formula:

d_i＝rands(1，n_i)

dir_i＝d_i/norm(d_i)

According to a second aspect of embodiments of the present application, there is provided an intrusion detection system, the system comprising:

Optionally, the EBAS optimizing module is specifically configured to: the EBAS algorithm is specifically realized by the following steps:

Step c: calculating the next updated position X of the longicorn according to the left and right antenna objective function values, and calculating a new objective function value cost _ nest;

step e: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule;

step f: and c, repeatedly executing the steps b, c, d and e until an iteration stop condition is met.

Optionally, the SAE-DRN training module is specifically configured to:

the penalty function used in dealing with the two-class problem is:

the penalty function used in dealing with the multi-classification problem is:

wherein the content of the first and second substances,tag value, y, representing a sample_iThe predicted value is represented by a value of the prediction,tag value, y, representing class m samples_imThe probability value representing the probability that the classifier predicts the sample as the mth class, n represents the number of samples, and m represents the number of classifications.

Optionally, the data processing module is specifically configured to:

the searching direction of the initialized omnibearing variable-step-size longicorn is calculated according to the following formula:

d_i＝rands(1，n_i)

dir_i＝d_i/norm(d_i)

According to a third aspect of embodiments herein, there is provided an apparatus comprising: the device comprises a data acquisition device, a processor and a memory; the data acquisition device is used for acquiring data; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform the method of any of the first aspect.

According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium having one or more program instructions embodied therein for performing the method of any of the first aspects.

In summary, the embodiments of the present application provide an intrusion detection method, system, device and readable storage medium, which are an intrusion detection algorithm based on the combination of a sparse self-encoder and a deep residual error network. A DRN residual block structure is redesigned, and the convolution layer is replaced by a full connection layer, so that a network structure is simplified, and the training process is accelerated; the activation function layer after the jump layer connection is moved to the position before the jump layer connection, so that the problems of gradient disappearance, gradient explosion and network degradation are solved more effectively; in order to improve the generalization capability of the SAE-DRN detection algorithm, an improved longicorn whisker search algorithm is designed based on the longicorn whisker search algorithm, and the number of network layers of the SAE-DRN algorithm and the number of neurons in each layer of neural network are optimized by using EBAS. In order to avoid the EBAS algorithm from being trapped in local optimization, an all-round variable step size search algorithm, an optimal position updating strategy and a backtracking type step size updating rule are designed. Experimental results show that the SAE-DRN intrusion detection algorithm can be well adapted to various intrusion detection data sets, the accuracy, precision, recall rate and F1 value of intrusion detection are effectively improved, and the misjudgment rate of intrusion detection is reduced.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.

The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.

FIG. 1 is a schematic diagram of an SAE-DRN algorithm provided in an embodiment of the present application;

fig. 2a is a sparse self-encoder network structure provided in an embodiment of the present application;

FIG. 2b is a specific operation process of a single neuron according to an embodiment of the present application;

fig. 3a is a depth residual network residual block structure provided in the present application;

fig. 3b is an original residual block structure provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of an omni-directional variable step size search algorithm provided in an embodiment of the present application;

FIGS. 5a, 5b and 5c are diagrams of SAE-DRN intrusion detection algorithms provided by embodiments of the present application;

FIG. 6 is a schematic diagram illustrating an implementation process of an SAE-DRN intrusion detection algorithm according to an embodiment of the present application;

FIGS. 7a, 7b, and 7c are ROC curves for binary classification of various algorithms according to embodiments of the present application;

fig. 8a, 8b, 8c, 8d, 8e, and 8f are ROC graphs under various algorithm multivariate classifications provided by embodiments of the present application;

fig. 9 is a schematic flowchart of an intrusion detection method according to an embodiment of the present application;

fig. 10 is a block diagram of an intrusion detection system according to an embodiment of the present application.

Detailed Description

The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Deep learning can form ideal classification characteristics by simulating the learning thinking process of human brains and extracting data characteristics layer by layer, so that the classification accuracy is improved, and the attention of network security researchers is attracted. For example, Nagarathna Ravi et al, which integrates a deep feedforward neural network with an improved K-means algorithm (RRS-K means), proposes a semi-supervised intrusion detection method (SDRK) that uses only a small amount of labeled data and a large amount of unlabeled data for training, and can be applied to situations with few labeled data in an actual environment and improve the detection accuracy of intrusion detection. Cui et al applies deep learning to malicious code detection, first converts an executable file of the malicious code into a grayscale image, and then identifies and classifies the malicious code by using a Convolutional Neural Network (CNN), thereby expanding the application range of the CNN. Vinayakumar et al indicate that long short term memory networks (LSTM), commonly used for text generation, machine translation, speech recognition, have a powerful power for malicious domain name detection. Nicole et al designed a network-based distributed deep learning framework for different network attack behaviors, which simultaneously detected Internet of things attack behaviors using a Convolutional Neural Network (CNN) for detecting phishing and application layer DDoS attacks and a long-short term memory network (LSTM) for discovering botnet attacks.

As a special network structure for deep learning, a sparse self-coding network and a residual error network have attracted extensive attention once they are proposed. The sparse self-coding network can extract fine structures and fine patterns hidden in complex data under an unsupervised condition, has the advantages of simple algorithm implementation, high feature extraction efficiency, high training speed and the like, and is currently applied to the fields of pathological image analysis, hyperspectral image classification, industrial equipment fault detection, facial expression recognition and the like. The residual error network can effectively overcome the defect of 'degeneration' of the deep neural network, improves the expression capability of the network on complex data, and is successfully applied to pedestrian detection, semantic segmentation, natural language processing and the like. Zhou Tao et al summarized the application of residual error network (ResNet) in medical image processing, indicating that residual error network can help doctors to obtain rich image information, thereby improving diagnostic effect and efficiency, and providing effective technical reference for computer-aided clinical diagnosis.

By combining the advantages of efficient extraction of data fine characteristic patterns by a sparse self-coding network and the strong expression capability of a residual error network on large-scale complex data, the embodiment of the application designs an intrusion detection algorithm (SAE-DRN) based on a sparse self-coder and a deep residual error network.

Firstly, a sparse self-encoder is used for extracting a fine structure and a mode inside an intrusion data set, then SAE extracted feature data are input into a DRN, the data features of the DRN are further processed, and multi-level and nonlinear activation transformation is carried out, so that deeper data features are obtained. On the basis, an improved longicorn beard search algorithm (EBAS) is provided, the number of network layers of the SAE-DRN algorithm and the number of neurons in each layer of neural network are optimized, so that the SAE-DRN algorithm can adapt to different network attack types, and the generalization capability of the SAE-DRN detection algorithm is improved. Experiments on KDD CUP99, NSL-KDD and UNSW _ NB15 data sets show that the method of the embodiment of the application can effectively improve accuracy, precision, recall rate and F1 value of intrusion detection and reduce misjudgment rate of intrusion detection.

In a first aspect, the SAE-DRN network algorithm according to the embodiments of the present application is described in detail.

The SAE-DRN algorithm integrates the extracting capability of SAE to complex data characteristics and the inherent advantages of DRN which can deepen the network depth and improve the data classification and convergence performance, the extraction of small structure and mode characteristics in network data by SAE is realized through pre-training, the DRN is utilized to carry out deeper mining on the data characteristics, and finally, the problem of two-classification and multi-classification of an intrusion detection data set is solved by using a sigmoid function and a softmax classifier. In the initial stage of algorithm training, the number of network layers of SAE and DRN networks and the number of neurons in each layer are optimized by utilizing EBAS, so that the SAE-DRN algorithm can adaptively change the network scale of the SAE-DRN algorithm according to target characteristics, and the adaptive capacity of the algorithm to different classification tasks is improved.

The SAE-DRN algorithm structure is shown in FIG. 1. The Sparse Auto Encoders (SAE) in fig. 1 improve the auto encoder. A conventional self-encoder includes two stages, encoding and decoding. In the encoding stage, the data is subjected to dimensionality reduction, high-dimensional data compression is achieved, and key characteristic information of the data is reserved; and in the decoding stage, the data is reconstructed according to the extracted characteristic information and is restored to the dimensionality of the original input data. The number of neurons in the middle layer of the self-encoder is converged in the encoding stage, and key characteristic information is lost when dimension reduction compression is performed on high-dimensional data, so that the final classification accuracy of the data is influenced.

In contrast, the embodiment of the application introduces a coding stage, can perform dimension-increasing sparse self-encoder on original data to extract data features, effectively extracts a structural mode inside the data, improves the data classification accuracy, and simultaneously reduces the misjudgment rate. The SAE network architecture is shown in fig. 2(a), and includes an input layer, an implicit layer(s), and an output layer. The input layer to hidden layer conversion is F (x), representing the encoding process, and the hidden layer to output layer conversion is G (x), representing the decoding process. Fig. 2(b) shows a specific operation process of a single neuron.

The objective of the SAE training phase is to minimize the error of the input data and the output data, thereby determining the weights W and the offset between the input layer and the hidden layer and between the hidden layers. The SAE encoding and decoding are expressed as follows:

Z⁽²⁾＝W⁽¹⁾X+B⁽¹⁾formula (1)

D⁽²⁾＝F(Z⁽²⁾) Formula (2)

Z⁽³⁾＝W⁽²⁾D⁽²⁾+B⁽²⁾Formula (3)

D⁽³⁾＝G(Z⁽³⁾) Formula (4)

Equations (1), (2) represent the encoding process, D⁽²⁾Representing the result after encoding, D⁽³⁾For the decoding result, X is input data. The set of parameters to be trained is denoted as W⁽¹⁾,W⁽²⁾,B⁽¹⁾,B⁽²⁾And, F, G denotes activation functions, typically Tanh, ReLU, Sigmoid, etc. The training goal of SAE is to reduce the input data X and the decoding result D⁽³⁾For the reconstruction error of (2), a square loss function (squared loss) is used:

L(X,D⁽³⁾)＝(X-D⁽³⁾)²formula (5)

In the encoding stage SAE maps data to a higher dimension, resulting in f (x), g (x) fitting to an identity mapping function, which cannot achieve the extraction of data features. In contrast, a sparsity constraint is added to SAE, and SAE is prevented from completely duplicating input data in the encoding stage, and the input data X and the decoding result D are reduced⁽³⁾In order to preserve as much as possible the data characteristics. When the activation function is set to Sigmoid function and the output is 1, the neuron is considered to be in an activated state, and when the output is 0, the neuron is considered to be in a suppressed state. At this time, D⁽²⁾The characteristic data obtained after coding can also represent the activation degree of hidden layer neurons. As the average liveness of hidden layer neurons j on the training set, we describe the following:

wherein D_j ⁽²⁾Indicates the degree of activation of the hidden neuron j, D_j ⁽²⁾(X⁽ⁱ⁾) Is input X⁽ⁱ⁾The degree of activation of hidden neuron j in SAE.

Sparsity constraints are:

p is a sparsity parameter and approaches 0. The purpose of setting the sparsity limiting condition is to limit the average activity of the hidden neurons and avoid the final fitting of the sparse self-encoder into the invalid identity mapping. For this purpose, an additional penalty factor is added into the objective function, and the average activity of the hidden neurons is enabled to be continuously close to the sparsity limit condition through a gradient descent method. The penalty factor is expressed as:

s in formula (8)₂For the number of hidden neurons in the hidden layer, traversing j can obtain the activity level of each neuron in the hidden layer. The penalty factor is measured by KL-subvigence.

When P is equal toWhen the phase difference is equal to each other,is zero, formula (8) is also zero; with P andthe difference between the values of the two signals increases,both of the values of formula (8) increase. Loss function J after adding sparsity constraint_sparseComprises the following steps:

beta is the weight for controlling the sparsity penalty factor, and the value range is (0, 1). The larger the value of beta, the stronger the limitation on the activity degree of the neuron.

H (x) ═ f (x) + x formula (10)

Fig. 3(a) depicts the structure of the deep residual network and the composition of the residual block according to an embodiment of the present application. Compared with the original residual block, the method and the device have the advantages that the ReLU layer placed before the jump layer connection is placed after the jump layer connection, and low-layer data information can be transmitted to any high layer in the forward transmission process of the information, so that the network obtains the identity mapping, and the degradation problem of a deep neural network is effectively relieved.

Meanwhile, in the process of back propagation of error information between the classification result and the label value, high-level gradient information can be propagated to a low level without intermediate-level weight matrix transformation, and compared with an original residual error network, the method has more remarkable effects on overcoming the problems of gradient dispersion and gradient explosion.

In FIG. 3(a), assume that the output of the α -th residual block is X^(α)The output of the beta residual blocks is X^(β)，α>β，X⁽¹⁾Represents the output of SAE, and is also input to the first residual block of DRN. F (X)^(k),W^(k)) As a function of the residual error, W^(k)For the weight, in the forward propagation process of the information, the processing process of the 1 st and 2 nd residual blocks and any residual block can be represented as follows:

X⁽²⁾＝X⁽¹⁾+F(X⁽¹⁾,W⁽¹⁾) Formula (11)

X⁽³⁾＝X⁽¹⁾+F(X⁽¹⁾,W⁽¹⁾)+F(X⁽²⁾,W⁽²⁾) Formula (12)

……

The expression (13) reflects that the signal can be directly transmitted from any lower layer to a higher layer, and the original identity mapping is contained in the signal, so that the degradation problem of the neural network can be effectively solved.

Error information in the back propagation process, the gradient of the neural network to be optimized can be expressed as:

as can be seen from equation (14), the error information in the back propagation process can be directly propagated from any high-level network to the low-level network without weight transformation, thereby solving the problem of gradient dispersion (even if the weight of the intermediate layer is small, the gradient is not affected). At the same time, the user can select the desired position,above 1, further ensuring that gradient vanishing problems do not occur.

The last layer of the DRN is a full connection layer and is used for mapping the learned distributed feature representation to a sample mark space, so that the purposes of training a classifier and learning the target global feature are achieved. In the embodiment of the application, the data information output by the full connection layer is imported into a Sigmoid (two-class) or Softmax (multiple-class) function, the probability value of the type of the data is obtained, and finally the intrusion detection algorithm judges the type of the data according to the probability value.

In a second aspect, the embodiment of the present application optimizes parameters of an SAE-DRN algorithm, which is described in detail below.

Parameters to be optimized by the SAE-DRN algorithm comprise the number L of SAE hidden layers, the number of neurons in each layer, the number of DRN residual fast neurons and the number of residual fast neurons. The purpose of parameter optimization is to determine the network scale suitable for matching task characteristics and prevent problems of over-fitting, under-fitting and the like of an algorithm. For setting SAE and DRN parameters, the prior document mainly adopts super-parameter search algorithms such as grid search, random search, tree structure Parzen estimation method (TPE) and the like.

The grid search depends on the setting of researchers, all possible values of the fixed hyper-parameters are arranged and combined to form a grid, and the calculation cost is high; random search samples a fixed number of parameters from a designated distribution, and the search result is greatly influenced by initial parameter selection; the TPE belongs to a Bayesian optimization algorithm, a probability algorithm needs to be established by utilizing an evaluation result of an objective function, the probability algorithm is limited by the number of samples, and the optimization effect of the TPE also has larger uncertainty.

In view of group intelligent optimization, the embodiment of the application provides an improved longicorn stigma search algorithm EBAS to optimize the hyper-parameters of the SAE-DRN algorithm. The method has the advantages that the BAS algorithm is kept to be simple to realize, the searching speed is high, the time complexity is low, the perception azimuth angle is increased, the optimizing step length and the optimal longicorn position updating strategy are improved, and the defects that the BAS algorithm is limited in searching range and prone to falling into local optimization are overcome. Table 1 below describes the parameters optimized for EBAS and classifies parameters of the same nature into the same problem cluster according to the EBAS algorithm requirements in the above section.

TABLE 1

(1) Longicorn stigma search algorithm

The longhorn Search algorithm (BAS) is inspired by the foraging process of longhorns, determines the flight direction of the longhorns by judging the strength of food smell, and finally searches food. The longicorn stigma search algorithm is high in search speed and solution precision, and has superior performance for the problem of low optimization space dimensionality. The BAS algorithm uses a skyhook individual to continually update its location in the search space to find the global optimal solution. Assuming that the position of the initial longicorn individual in the n-dimensional space is X ═ X₁，X₂，……X_nThe orientation of the longicorn is dir, and the positions X of the left antenna and the right antenna are_lAnd X_rThen, there are:

d ═ rands (1, n) formula (15)

dir ═ d/norm (d) formula (16)

X_l＝X+d₀X dir/2 equation17)

X_r＝X-d₀Xdir/2 equation (18)

d₀The distance between two antennae of the longicorn. n represents the dimension of the problem to be optimized, d is a random vector with the same dimension as the problem to be optimized, dir is a unit vector with the same direction as d and represents the orientation of the longicorn. In the search, the algorithm continuously calculates the fitness function value near the antenna and guides the longicorn to fly to the direction with the better fitness function value. Longicorn individual XⁱNext position of movement Xⁱ⁺¹Is represented as follows:

Xⁱ⁺¹＝Xⁱ-L×dir×sign(f(X_l)-f(X_r) Equation (19)

L is the moving step length, f (×) represents the objective function, sign (z) is the value of the sign function as-1 or 1, and is used for controlling the moving direction of the longicorn.

(2) Omnibearing variable step size searching algorithm

The original BAS search includes two directions, namely a left direction and a right direction, and the search step length of the longicorn in the two directions is consistent, so that the search range is limited, the search efficiency is low, and the local optimum is easy to be trapped. Based on the BAS, an all-round variable step size searching algorithm is designed. In the initial stage, the number of problem clusters is set according to the parameter type in the problem to be optimized, the optimization step length and direction are set according to the type of the problem clusters, and the probability of searching the optimal solution by the longicorn is increased. The omnibearing step-size-variable longicorn searching algorithm is shown in figure 4.

The searching direction of the initialized omnibearing variable-step-size longicorn searching algorithm is as follows:

d_i＝rands(1，n_i) Formula (15)

i denotes the ith problem cluster, n_iDimension representing the problem to be optimized on the ith problem cluster, d_iAnd expressing the random vector which has the same optimizing direction as the ith problem cluster in the direction and has the same dimension as the problem to be optimized in the ith problem cluster in the dimension. dir_i＝d_i/norm(d_i) Will d_iConverted into a unit vector.

(3) Optimal location update strategy

In the BAS algorithm, the longicorn determines the next optimal position X_nextWhether updated or not is only determined by the position X of the last step of the longicornⁱThe objective function value f (X)ⁱ) And updating the position X of the acquired cattleⁱ⁺¹The objective function value f (X)ⁱ⁺¹) The quality of the product is good. If f (X)ⁱ ⁺¹) Is superior to f (X)ⁱ) And if not, the optimal longicorn position is updated, and otherwise, the position is not changed. In the formula (12), Xⁱ⁺¹The value of (a) is related to the moving step length L of the longicorn, and generally, the length of L is far larger than the distance between the centroid of the longicorn and the left (right) of the longicorn, so that the search span of the BAS algorithm is larger every time, and the position of the optimal solution is missed. For this, a long-span and short-span optimal location update strategy (LSDO) is designed. Whether the position of the cattle in the LSDO is updated or not needs to consider Xⁱ，Xⁱ⁺¹，X_lAnd X_r4 position objective function values, and selecting the longicorn position corresponding to the optimal objective function value as the optimal position, wherein X_lAnd X_rRespectively representing the position of the left beard of the longicorn and the position of the right beard of the longicorn. The above process is represented as follows:

(4) backtracking step updating rule

In the BAS algorithm, the step update is determined by multiplying the iterated step L by a step decay factor α (0< α < 1). Since 0< α <1, the step size L will continue to decrease regardless of whether the optimal position of the longicorn is updated, resulting in the algorithm falling into local optimality.

Therefore, a backtracking longicorn step length updating rule is provided: 1. if the optimal position of the longicorn after iteration is not updated, the step length of the next iteration is the moving step length L multiplied by the regression factor alpha so as to narrow the search range; 2. and if the optimal position of the longicorn changes after iteration, the step length of the next iteration is traced back to the initial step length, the search range of the algorithm is increased, and the probability of the algorithm falling into the local optimal position is reduced.

The above process can be described by equation (21):

wherein L is_originalValue representing the step size of the movement during initialization, X_bestRepresents the optimal position, X, of the longicorn at the last iteration_next-bestRepresents the optimal position of the longicorn at the next iteration, i is the iteration number (i)>0)， L_iThe step size of the longicorn in the ith iteration.

(5) EBAS algorithm description

The EBAS algorithm is specifically realized by the following steps:

step 1: parameters for initializing the EBAS algorithm: the method comprises the number M of problem clusters and the optimization dimension n of each problem cluster, and initializes the sensing directions dir of M longicorn and the distance d between two antennae of the longicorn according to the values of M and n₀The optimization times N, the iteration step length L and the decay factor lambda of the step length after each iteration.

Step 2: respectively calculating left and right antenna positions X in the sensing direction of each longicorn_lAnd X_rAnd substituting the calculated objective function values cost into the objective function to calculate the objective function values cost of the left and right antenna positions_l、cost_r。

And step 3: and (3) calculating the next updated position X of the longicorn according to the left and right antenna objective function values calculated in the step (2), and calculating a new objective function value cost _ nest.

And 4, step 4: comparison cost_l、cost_rAnd selecting an optimal value as a current optimal objective function value, recording the position of the longicorn at the moment, and updating the position according to an optimal position updating strategy.

And 5: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule.

Step 6: and (5) repeatedly executing the steps 2, 3, 4 and 5 until an iteration stop condition is met.

(6) EBAS algorithm complexity analysis

The maximum iteration number of the algorithm is assumed to be N, and the optimization dimension is assumed to be D. In the BAS algorithm, the complexity of initializing longicorn individuals is o (d), and then in each iteration, the following steps need to be completed: 1. and calculating the objective function values of the left antenna and the right antenna of the longicorn individual, wherein the time complexity is O (1). 2. The position of the longicorn individual is updated, and the time complexity is O (1). 3. And determining the optimal position of the current longicorn, wherein the time complexity is O (1), so that the complexity of one iteration completed by the algorithm is O (1+1+ 1). The total temporal complexity is O (N (1+1+1) + D), i.e., O (N). The time complexity of the initialization phase of the EBAS algorithm is also o (d).

Then, in each iteration, the following steps are required: 1. determining the optimizing direction dir of each problem cluster according to the number M of the problem clusters_iAnd the corresponding left and right whisker positions in each optimizing direction, the time complexity is O (M). 2. The left and right whisker positions in each optimizing direction are combined into a left and right whisker position set respectively, and the time complexity is O (1). 3. And calculating the target function values of the left and right longicorn individuals, wherein the time complexity is O (1). 4. And updating the individual position of the longicorn, and calculating an objective function value with the time complexity of O (1). 5. Selecting the time complexity of the optimal position from the left and right longicorn beards and the updated position as O (1), judging whether the time complexity of the optimal position is changed as O (1), judging whether the time complexity of the longicorn movement step length is adjusted as O (1), and finishing the time complexity of one iteration as O (M +1+1+1+1+ 1). Therefore, the total time complexity of the algorithm is O (N (M +1+1+1+1+1+1) + D), i.e., O (NM). In general, the number of problem clusters M is much smaller than N, so the time complexity of the EBAS algorithm is O (N).

Analysis shows that compared with the BAS algorithm, the EBAS algorithm does not increase time complexity, improves convergence accuracy, and overcomes the defect that the original BAS is easy to fall into local optimization.

In a third aspect, the SAE-DRN intrusion detection algorithm according to the embodiment of the present application is described in detail.

(1) Algorithm structure

The complexity of the internet structure, the enlargement of the scale and the increase of the application, the accumulation of the experience of an attacker and the variable attack modes require that the intrusion detection system has more intelligent characteristics and universality. Aiming at the detection problems of large network data flow, high complexity, hidden relation among data attributes and the like, an intrusion detection algorithm based on SAE-DRN is designed. And by combining a sparse self-encoder (SAE) with ultrahigh precision feature extraction capability and a deep residual error network (DRN) with strong expression capability on complex data, the internal relation hidden in the complex intrusion data is deeply excavated, and the detection capability of a detection algorithm on the intrusion data is improved.

The SAE-DRN intrusion detection algorithm adopts SAE and DRN neural networks in the upper layer structure of the classifier to enhance the information integrity of network data feature extraction, and carries out multi-level and nonlinear activation transformation on the extracted data features on the basis, thereby further mining the essential features of the data and improving the accuracy of data classification.

Considering that the existing network intrusion data types are numerous, the EBAS algorithm is utilized to carry out autonomous optimization on the number of network layers and the number of neurons in each layer of the SAE-DRN algorithm so as to determine the network scale which can better adapt to the task characteristics and the task types and improve the adaptability and the generalization capability of the SAE-DRN detection algorithm to different network attacks.

The SAE-DRN intrusion detection algorithm structure is shown in fig. 5a, 5b and 5 c.

(2) The SAE-DRN intrusion detection algorithm is trained as follows:

step 1: determining the number of problem clusters according to task properties (the division of the problem clusters is shown in table 1), constructing an all-round variable step length search algorithm based on the problem clusters, and initializing the optimizing direction, optimizing times, iteration step length and a decay factor lambda of the step length after each iteration of the longicorn.

Step 2: the EBAS algorithm is executed and the hyper-parameters are output. And transmitting the hyper-parameters output by the EBAS algorithm into an SAE module and a DRN module, thereby determining the number of network layers and the number of neurons in each layer in the two modules.

At the beginning of the operation of the algorithm, the depth and width of the neural network of the SAE-DRN in the SAE-DRN intrusion detection algorithm are not determined, so that the EBAS algorithm needs to be started based on a random initial value to determine the number of network layers and the number of neurons in each layer of the SAE-DRN.

And step 3: the different intrusion detection data sets are normalized. And merging and disordering the data sets to further obtain a mixed and normalized data set X.

And 4, step 4: x is input to the SAE and the SAE module is pre-trained.

And 5: inputting the characteristic data of the data set X obtained in the step 4 into the DRN, and training the DRN.

Step 6: and adjusting parameters layer by layer, calculating and returning loss values of the training set and the cross validation set, taking the loss values as objective function values of the EBAS, and updating relevant parameters of the EBAS module.

The loss function used in processing the second class problem in the embodiment of the present application is binary _ cross detailed formula (22), and the loss function used in processing the multi-class problem is: the structural _ cross is shown in the formula (23).

WhereinTag value, y, representing a sample_iThe predicted value is represented by a value of the prediction,tag value, y, representing class m samples_imThe probability value representing the probability that the classifier predicts the sample as the mth class, n represents the number of samples, and m represents the number of classifications.

And 7: and (6) repeatedly executing the step 3 to the step 6 until an iteration termination condition of the EBAS is triggered, and acquiring the optimal parameters of the SAE-DRN neural network.

The steps 4-7 are performed with the aim of achieving parameter optimization of the EBAS algorithm. As the time for training the SAE-DRN neural network to the optimal performance is longer, the training iteration number of the neural network in the step 4-7 is set to be 1-10, the training iteration number of the SAE is set to be 2, and the training iteration number of the DRN is set to be 5.

And 8: and transmitting the optimal hyper-parameters to an SAE module and a DRN module, training the modules, and verifying an actual intrusion detection data set after the training is finished.

In a fourth aspect, experimental design and analysis are performed on the method provided in the embodiments of the present application.

(1) Evaluation index of algorithm

Because the intrusion detection data set is an unbalanced data set, the quantity difference between normal samples and abnormal samples is large, and the Accuracy rate cannot fully reflect the detection performance of the intrusion detection algorithm, the Accuracy rate, the Recall rate, the F1-score and the AUC value are introduced for evaluation, wherein the Accuracy rate (Accuracy), the Accuracy rate (Precision), the Recall rate (Recall) and the F1-score value are calculated by taking the unbalance of the category F1-score into consideration in a weighting mode, and the Accuracy rate (Accuracy), the Accuracy rate (Precision), the Recall rate (Recall) and the F1-score value are defined by an expression (16) to an expression (20).

The ROC curve reflects the relationship between false positive rate and true positive rate, the area below the curve is AUC which represents the prediction accuracy, the higher the AUC is, the higher the prediction accuracy is, and finally, a micro-average ROC curve and a macro-average ROC curve are introduced in the embodiment of the application to reflect the classification results of different algorithms on a large number of samples and a small number of sample attack types.

F1-score＝(∑α_k×F1_k)²Formula (28)

The detailed meanings of the parameters in equations (24) to (28) are shown in Table 2.

TABLE 2

(2) Experimental data

In order to verify the effectiveness of the SAE-DRN intrusion detection algorithm, the embodiment of the application adopts a KDD CUP99 data set, an NSL-KDD data set and an UNSW _ NB15 data set to evaluate the algorithm. Each record in the KDD CUP99 dataset has 41 features, with 38 dimensions being numeric features and the other 3 dimensions being symbolic features. In addition, the system also comprises 1 label characteristic which indicates the type of the network connection, and comprises one Normal network behavior, four attack behaviors of DoS attack, Probe attack, R2L attack and U2R attack. The NSL-KDD adopts the same data format as the KDD CUP99, but the NSL-KDD data set optimizes the KDD CUP99 data set, and makes up for the defects of redundancy and bias in the KDD CUP99 data set.

The UNSW _ NB15 data set is acquired by an australian security laboratory in 2015 under a real network environment, and compared with a KDD CUP99 data set and an NSL-KDD data set, the UNSW _ NB15 data set can better embody actual network data characteristics, so that the algorithm is verified in the UNSW _ NB15 data set in the embodiment of the application. Each record of the data set contains 42 features and 1 tag feature, wherein the tag feature comprises a Normal and 9 attack behaviors, namely Fuzzers, Analysis, Backdoors, DoS, explores, Generic, Reconnaissance, Shellcode, and Worms.

(3) Results of binary classification experiments

The observation on the accuracy rate shows that: the SAE-DRN intrusion detection algorithm has the highest accuracy when the KDD CUP99, the NSL-KDD and the UNSW _ NB15 are classified in two ways, and respectively reaches 0.9868, 0.9446 and 0.9431. Other algorithms such as SVM, LR, KNN, CART, RF are all less accurate on the three datasets than the SAE-DRN algorithm. When KDD CUP99 is subjected to binary classification, the detection accuracy of the RF algorithm is 0.9622, and is the highest relative to SVM, LR, KNN and CART, but still lower than the accuracy of SAE-DRN; when the NSL-KDD is subjected to a two-classification experiment, the accuracy rate of the NSL-KDD is that the RF algorithm is optimally 0.8983 in SVM, LR, KNN, CART and RF, but the difference between the NSL-KDD and SAE-DRN is still 4.63%; when UNSW _ NB15 is classified in two ways, the classification accuracy of SAE-DRN is 0.9431, which is 1.7% higher than that of SVM with the best accuracy in SVM, LR, KNN, CART and RF.

Because the KDD CUP99, NSL-KDD, UNSW _ NB15 binary data sets are unbalanced data sets, the intrusion detection performance of each algorithm is further analyzed in the aspects of Precision, Recall, F1-score, AUC and the like.

When KDD CUP99 is classified, the comprehensive detection performance of SVM and LR is the worst, Precision is only 0.8982 and 0.8948 which are respectively 10 percent and 10.34 percent lower than SAE-DRN; in the aspect of F1-score, the three algorithms are 0.9456 and 0.9436 respectively, and are 4.61 percent and 4.81 percent lower than SAE-DRN respectively; KNN and CART are lower than SAE-DRN in Precision and F1-score, but the difference between KNN and CART and SAE-DRN is not great. The ROC graph reflects the relationship between true and false positive rates. The curve divides the whole graph into two parts, the area of the lower part of the curve is AUC which is used for representing the prediction accuracy, and the higher the AUC is, the higher the prediction accuracy is.

In the experiment, fig. 7a, 7b, and 7c show ROC curves for binary classification of various algorithms provided in the embodiments of the present application. Fig. 7a corresponds to KDD CUP99, fig. 7b corresponds to NSL-KDD, and fig. 7c corresponds to UNSW _ NB 15. When KDD CUP99 is classified, the area surrounded by the ROC curve of SAE-DRN is the largest, the AUC value is 0.98, and the AUC value is respectively 0.21, 0.22, 0.14, 0.12 and 0.06 higher than that of SVM, LR, KNN, CART and RF. When the NSL-KDD data is classified in two ways, the comprehensive performance of SAE-DRN is still ahead of SVM, LR, KNN, CART and RF. Most notably, SVM was 0.2713, 0.8866, 0.9934 lower on Precision, Recall, F1-score indices than SAE-DRN, respectively, as compared to SAE-DRN.

In the experiment, the AUC value of SAE-DRN is the maximum and is far higher than that of SVM in FIG. 7 b. When binary classification is carried out on UNSW _ NB15 data sets, SVM is superior to LR, KNN, CART, RF5 and other algorithms, Precision, Recall and F1-score are respectively 0.9209, 0.9472 and 0.9338, but Precision and F1-score values are still lower than SAE-DRN by 0.0348 and 0.0141; in addition, SAE-DRN is also superior to other algorithms in AUC values. The binary classification experiment result can prove that the SAE-DRN algorithm can improve the detection accuracy of intrusion detection, can also obviously reduce the false alarm rate, and has better detection performance.

(4) Multivariate classification experimental results

The method is characterized in that various performance indexes of SAE-DRN, SVM, LR, KNN, CART and RF in the process of performing multi-component classification on KDD CUP99, NSL-KDD and UNSW-NB15 data sets respectively are shown, and because the number of experimental data sets is large, detection indexes aiming at various attack types are not listed in detail in the embodiment of the application, and only comprehensive indexes aiming at the detection of various data sets are listed. Meanwhile, considering that the multi-classification data sets including KDD CUP99, NSL-KDD and UNSW _ NB15 are unbalanced data sets, the method and the device introduce a micro-average ROC curve graph and a macro-average ROC curve graph so as to distinguish the detection effects of various algorithms on the attack types with a large number of samples and the attack types with a small number of samples. The micro-average ROC graph reflects the classification condition of the algorithm on data with a large number of samples, the macro-average ROC graph describes the classification condition of the algorithm on data with only a small number of samples, and the larger the area enclosed by the micro-average ROC graph and the macro-average ROC graph is (the larger the AUC value is), the better the classification performance of the algorithm is.

When the KDD CUP99, NSL-KDD and UNSW _ NB15 data sets are subjected to multi-element classification, the values of Accuracy, Precision, Recall and F1-score of SAE-DRN are higher than those of SVM, LR, KNN, CART and RF. When the SAE-DRN algorithm is used for carrying out multi-element classification on KDD CUP99, Accuracy, Precision, Recall and F1-score are respectively 0.9884, 0.9841, 0.9884 and 0.9856 which are respectively higher than SVM, LR, KNN, CART and RF algorithms by 3.24-10.48%, 3.79-9.67%, 3.24-10.48% and 3.56-12.27%; when NSL-KDD is subjected to multi-element classification, each evaluation index of SAE-DRN algorithm is also far superior to SVM, LR, KNN, CART and RF algorithms, particularly far-super SVM and CART algorithms, SAE-DRN is 38.85% higher than SVM and 38.93% higher than CART in the aspect of Accuracy; SAE-DRN is 62.26% higher than SVM and 62.99% higher than CART in Precision; in the aspect of Recall, SAE-DRN is 38.85 percent higher than SVM, and 38.93 percent higher than CART; the SAE-DRN is 54.35 percent higher than SVM and 54.53 percent higher than CART in the aspect of F1-score. When the UNSW _ NB15 data set is subjected to multi-element classification, the comprehensive performance of KNN, CART and RF is poor, all evaluation indexes are in the range of 0.4227-0.7196, SVM and LR are slightly good in performance, all the evaluation indexes are in the range of 0.6388-0.7771, SAE-DRN is optimal in performance, and the Accuracy, Precision, Recall and F1-score are respectively 0.8283, 0.8041, 0.8283 and 0.8117 which are far higher than those of other algorithms.

Fig. 8a and 8b are graphs of micro-average ROC and macro-average ROC of KDD CUP99 provided in the embodiments of the present application; FIGS. 8c and 8d are graphs of the NSL-KDD micro-average ROC curve and the macro-average ROC curve provided in the embodiment of the present application; fig. 8e and 8f are graphs of UNSW-NB15 micro-average ROC and macro-average ROC provided by the embodiment of the present application.

It can be seen from fig. 8a that when SAE-DRN performs multivariate classification on KDD CUP99 dataset, the area (AUC value) enclosed by the micro-average ROC graph is 0.99, and the AUC values of the rest algorithms are all below 0.99 between 0.93-0.97, but the difference is not large; however, the AUC value of SAE-DRN is 0.77, which is 6% -16% higher than that of other algorithms, as can be seen from the macro-average ROC graph, which shows that SAE-DRN has better performance than other algorithms when identifying the attack type with less samples, such as U2R.

FIG. 8b shows the superiority of SAE-DRN compared with other algorithms, where the AUC of SAE-DRN in the micro-average ROC plot is 0.95% higher than other algorithms by 5% -24%, and the AUC of SAE-DRN in the macro-average ROC plot is 0.81% higher than other algorithms by 12% -31%, which indicates that the SAE-DRN has performance far superior to other algorithms regardless of the number of samples when performing multi-classification on the NSL-KDD dataset.

FIG. 8c shows that the area enclosed by the micro-average and macro-average ROC curves of SAE-DRN is the largest when UNSW-NB15 is subjected to multi-classification, which indicates that the performance of SAE-DRN in multi-classification of UNSW-NB15 is also superior to that of other algorithms.

The analysis shows that the areas surrounded by the micro-average ROC curves are larger than the areas surrounded by the macro-average ROC curves when the algorithms perform multi-element classification on each data set, and the detection capability of each algorithm on attack data with a large number of attacks is high, and the detection capability of each algorithm on samples with a small number of attacks is low. However, the area (AUC value) enclosed by the micro-average ROC curve and the macro-average ROC curve drawn according to the SAE-DRN classification result is the maximum relative to other algorithms. The SAE-DRN algorithm can also improve the intrusion detection accuracy rate on the intrusion detection problem of multi-classification, and meanwhile, the false alarm rate is obviously reduced, and the detection performance is better.

With reference to the foregoing embodiments, fig. 9 illustrates an intrusion detection method provided in an embodiment of the present application, where the method includes the following steps:

step 901: determining the number of problem clusters according to task properties, constructing an all-round variable step size search algorithm based on the problem clusters, and initializing the optimization direction, the optimization times, the iteration step size and the regression factor lambda of the step size after each iteration of the longicorn.

Step 902: and executing the EBAS algorithm and outputting the super parameters, transmitting the super parameters output by the EBAS algorithm into an SAE module and a DRN module, and determining the number of network layers and the number of neurons in each layer in the SAE module and the DRN module.

Step 903: and carrying out normalization processing on different intrusion detection data sets to obtain a mixed and normalized data set X.

Step 904: the data set X is input to the SAE module and the SAE module is pre-trained.

Step 905: inputting the feature data of the data set X obtained in the step 904 into the DRN module, and training the DRN module.

Step 906: and adjusting parameters layer by layer, calculating and returning loss values of the training set and the cross validation set, taking the loss values as objective function values of the EBAS module, and updating relevant parameters of the EBAS module.

Step 907: and repeatedly executing the steps 903 to 906 until an iteration termination condition of the EBAS module is triggered to obtain the optimal parameters of the SAE-DRN neural network.

Step 908: and transmitting the optimal parameters to the SAE module and the DRN module, training the optimal parameters, and verifying an actual intrusion detection data set after training.

In a possible implementation manner, the specific implementation steps of the EBAS algorithm are as follows:

Step c: calculating the next updated position X of the longicorn according to the left and right antenna objective function values, and calculating a new objective function value cost _ nest;

step e: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule;

step f: and c, repeatedly executing the steps b, c, d and e until an iteration stop condition is met.

Therefore, the embodiment of the application provides a self-adaptive depth network intrusion detection method based on the combination of a sparse self-encoder and a depth residual error network, and effectively solves the problems of low accuracy and high false alarm rate of the traditional intrusion detection method. The convolution layer in the traditional DRN residual block is replaced by a full connection layer to simplify the network structure, reduce the network parameter quantity and accelerate the network training, and the activation function layer originally after the jump layer connection is moved to the front of the jump layer connection, thereby more effectively solving the problems of gradient explosion, gradient disappearance and network 'degeneration'. Meanwhile, the embodiment of the application designs an improved longicorn stigma search algorithm EBAS, so that the whole algorithm can adaptively determine the network layer number of an internal neural network and the number of neurons in each layer of the network.

Experiments show that the SAE-DRN algorithm has obvious advantages compared with the traditional intrusion detection algorithm in each evaluation index no matter on a KDD CUP99 data set, an NSL-KDD data set or an UNSW-NB15 data set. The next step of research is mainly to expand the detection range of the SAE-DRN detection algorithm and further improve the detection capability of the SAE-DRN detection algorithm on other network security threats.

Based on the same technical concept, an embodiment of the present application further provides an intrusion detection system, as shown in fig. 10, the system includes:

the data processing module 1001 is configured to determine the number of problem clusters according to task properties, construct an all-dimensional variable step size search algorithm based on the problem clusters, and initialize the optimization direction, the optimization times, the iteration step size, and the decay factor λ of the step size after each iteration of the longicorn.

The EBAS optimizing module 1002 is configured to execute an EBAS algorithm and output a superparameter, transmit the superparameter output by the EBAS algorithm to the SAE module and the DRN module, and determine the number of network layers and the number of neurons in each layer in the SAE module and the DRN module; and carrying out normalization processing on different intrusion detection data sets to obtain a mixed and normalized data set X.

An SAE-DRN training module 1003, configured to input the data set X to the SAE module, and pre-train the SAE module; inputting the obtained characteristic data of the data set X into the DRN module, and training the DRN module; adjusting parameters layer by layer, calculating and returning loss values of a training set and a cross validation set, taking the loss values as objective function values of the EBAS module, and updating relevant parameters of the EBAS module; repeatedly executing until an iteration termination condition of the EBAS module is triggered to obtain the optimal parameters of the SAE-DRN neural network; and transmitting the optimal parameters to the SAE module and the DRN module, training the optimal parameters, and verifying an actual intrusion detection data set after training.

In a possible implementation, the EBAS optimizing module 1002 is specifically configured to: the EBAS algorithm is specifically realized by the following steps:

Step c: calculating the next updated position X of the longicorn according to the left and right antenna objective function values, and calculating a new objective function value cost _ nest;

step e: if the best _ cost value changes, the iteration step length is restored to the initial state; otherwise, updating according to a backtracking step updating rule;

step f: and c, repeatedly executing the steps b, c, d and e until an iteration stop condition is met.

Based on the same technical concept, an embodiment of the present application further provides an apparatus, including: the device comprises a data acquisition device, a processor and a memory; the data acquisition device is used for acquiring data; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform the method.

Based on the same technical concept, the embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium contains one or more program instructions, and the one or more program instructions are used for executing the method.

In the present specification, each embodiment of the method is described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. Reference is made to the description of the method embodiments.

It is noted that while the operations of the methods of the present invention are depicted in the drawings in a particular order, this is not a requirement or suggestion that the operations must be performed in this particular order or that all of the illustrated operations must be performed to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

Although the present application provides method steps as in embodiments or flowcharts, additional or fewer steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an apparatus or client product in practice executes, it may execute sequentially or in parallel (e.g., in a parallel processor or multithreaded processing environment, or even in a distributed data processing environment) according to the embodiments or methods shown in the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded.

The units, devices, modules, etc. set forth in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the present application, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of a plurality of sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may therefore be considered as a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a mobile terminal, a server, or a network device) to execute the method according to the embodiments or some parts of the embodiments of the present application.

The embodiments in the present specification are described in a progressive manner, and the same or similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.

The above-mentioned embodiments are further described in detail for the purpose of illustrating the invention, and it should be understood that the above-mentioned embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.

37页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：基于BCCA优化模型的生物粒子团簇体构建方法

Intrusion detection method, system, equipment and readable storage medium

相关技术

网友询问留言