面向不平衡数据集的网络入侵检测算法  被引量：2

作　　者：徐忠原 杨秀华 王业 李玲[3] XU Zhongyuan;YANG Xiuhua;WANG Ye;LI Ling(College of Electrical Information,Changchun University of Architecture,Changchun 130604,China;Big Data and Network Information Center,Jilin University,Changchun 130012,China;College of Communication Engineering,Jilin University,Changchun 130012,China)

机构地区：[1]长春建筑学院电气信息学院,长春130604 [2]吉林大学大数据和网络管理中心,长春130012 [3]吉林大学通信工程学院,长春130012

出　　处：《吉林大学学报（信息科学版）》2023年第6期1112-1119,共8页Journal of Jilin University（Information Science Edition）

基　　金：吉林省科技发展计划基金资助项目(20190302073GX)。

摘　　要：针对入侵检测数据集存在类别不平衡问题,提出了系统化数据预处理与混合采样相结合的网络入侵检测算法。根据入侵检测数据集的特征分布,对特征值进行系统化处理。首先对Proto、Service和State 3个类别特征,合并每类特征中样本数较少的取值,以降低独热编码的维度;然后依据数值分布将其中18个极端分布的数值特征进行对数处理后再执行Z-score标准化。设计了Nearmiss-1欠采样与SMOTE(Synthetic Minority Over-sampling Technique)过采样相结合的类别不平衡处理技术,将训练集中每类样本按照Proto、Service和State类别特征分成子类,对每个子类进行等比例欠采样或过采样。建立了入侵检测模型PSSNS-RF(Nearmiss and SMOTE based on Proto,Service,State-Random Forest),在UNSW-NB15数据集上的多分类检出率达到97.02%,解决了数据不平衡问题,显著提高了少数类的检出率。A network intrusion detection algorithm that combines systematic data pre-processing and hybrid sampling is proposed for the problem of class imbalance in intrusion detection datasets.Based on the feature distribution of the intrusion detection dataset,the feature values are systematically processed as follows:for the three categorical features,“Proto”,“Service” and “State”,minor categories within each feature are combined to reduce the total dimension of one-hot encoding;the 18 extremely distributed numerical features are processed with logarithm and then standardized according to the numerical distribution.The class imbalance processing technology,which combines Nearmiss-1 under-sampling and SMOTE(Synthetic Minority Over-sampling Technique) is designed.Each class of samples in the training dataset is divided into sub-classes based on the “Proto”,“Service” and “State” categorical features,and each sub-class is under-sampled or oversampled in equal proportion.The intrusion detection model PSSNS-RF(Nearmiss and SMOTE based on Proto,Service,State-Random Forest) is built,which achieves a 97.02% multiclass detection rate in the UNSW-NB15 dataset,resolving the data imbalance problem and significantly improving the detection rate of minority classes.

关 键 词：网络入侵检测 不平衡数据集 特征选择 网络安全 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]