基于混合卷积神经网络和循环神经网络的入侵检测模型  被引量：12

作　　者：方圆 李明 王萍 江兴何 张信明[2] FANG Yuan;LI Ming;WANG Ping;JIANG Xinghe;ZHANG Xinming(Division of Information Communication,State Grid Anhui Electric Power Company Limited,Hefei Anhui 230061,China;School of Computer Science and Technology,University of Science and Technology of China,Hefei Anhui 230027,China)

机构地区：[1]国家电网安徽省电力有限公司信息通信分公司,合肥230061 [2]中国科学技术大学计算机科学与技术学院,合肥230027

出　　处：《计算机应用》2018年第10期2903-2907,2917,共6页journal of Computer Applications

基　　金：国家重点研发计划项目(017YFC0804402)~~

摘　　要：针对电力信息网络中的高级持续性威胁问题,提出一种基于混合卷积神经网络(CNN)和循环神经网络(RNN)的入侵检测模型。该模型根据网络数据流量的统计特征对当前网络状态进行分类。首先,获取日志文件中网络流量的各统计值,进行特征编码、归一化等预处理工作;然后,通过深度卷积神经网络中可变卷积核提取不同主机入侵流量之间空间相关特征;最后,将已经处理好的包含空间相关特征的数据在时间上错开排列,利用深度循环神经网络挖掘入侵流量的时间相关特征。实验结果表明,该模型相对于传统的机器学习模型在曲线下方的面积(AUC)上提升了7. 5%～14. 0%,同时误报率降低了83. 7%～52. 7%。所提模型能准确地识别网络流量的类别,大幅降低误报率。Aiming at the problem of advanced persistent threats in power information networks,a hybrid Convolutional Neural Network(CNN)and Recurrent Neural Network(RNN)intrusion detection model was proposed,by which current network states were classified according to various statistical characteristics of network traffic.Firstly,pre-processing works such as feature encoding and normalization were performed on the network traffic obtained from log files.Secondly,spatial correlation features between different hosts intrusion traffic were extracted by using deformable convolution kernels in CNN.Finally,the processed data containing spatial correlation features were staggered in time,and the temporal correlation features of the intrusion traffic were mined by RNN.The experimental results showed that the Area Under Curve(AUC)of the model was increased by 7.5%to 14.0%compared to traditional machine learning models,and the false positive rate was reduced by 83.7%to 52.7%.It indicates that the proposed model can accurately identify the type of network traffic and significantly reduce the false positive rate.

关 键 词：高级持续性威胁 网络流量 卷积神经网络 循环神经网络 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]