Research of Network Intrusion Detection(网路入侵检测系统研究)

基于改进自组织特征映射的网络入侵检测Network Intrusion Detection Based on the Improved SOM Algorithm篯著銬成伴豸滎系(南京工业大学电子与信息工程学院，江苏南京211816)摘要：针对如何提高网络入侵检测率并进行正确分类的问题，提出了一种改进的自组织特征映射（SOM)网络算法。

该算法通过对 竞争机制的自适应调整来减少过度学习，并采用灰关系分析的动态权值机制降低邻域神经元中杂质的影响。

KDDCUP99数据集的试 验结果表明该方法具有更高的准确率。

关键词：自组织特征映射神经网络自适应竞争机制灰关系入侵检测中图分类号：TP393 文献标志码： A DOI：10.16086/j. cnki. issnl000 -0380.201510017Abstract：For enhancing netw ork intrusion detection rate and implementing correct classification, the improved self-organizing map ( SOM) algorithm is proposed. W ith this algorithm, excessive learning is decreased through adaptive adjustment of competitive mechanism, and the influence of impurities in neighborhood neurons is reduced by dynamic weights mechanism of grey relation analysis. The result of test based on KDDCUP99 data set shows that this method features higher accuracy.Keywords ：Self-organizing map ( SOM) Neural netw ork Adaptive competitive mechanism Grey relation Intrusion detection〇引言随着信息技术的发展，网络安全问题越来越受 到人们的关注。

基于深度学习的网络入侵检测技术研究随着互联网的迅猛发展，网络安全问题也日益突出。

网络入侵行为给个人和组织带来了巨大的损失和风险。

因此，网络入侵检测技术的研究和应用变得至关重要。

近年来，深度学习作为一种强大的数据分析工具，已经在各个领域取得了显著的成果。

本文将讨论基于深度学习的网络入侵检测技术研究。

一、深度学习简介深度学习是机器学习领域的一个重要分支，其核心思想是模拟人脑神经网络的学习和识别能力。

相比传统的机器学习方法，深度学习通过多层次的神经网络结构来学习数据的表征，能够自动提取特征并进行高效的分类和预测。

二、网络入侵检测的问题和挑战网络入侵检测是指通过监测和分析网络流量中的异常行为来识别潜在的入侵者和安全威胁。

然而，传统的入侵检测方法往往依赖于专家设计的规则或者特征工程，无法适应不断变化的网络安全环境。

此外，网络入侵涉及大量的数据和复杂的模式，传统方法往往无法有效捕捉到其中的隐藏规律和关联性。

三、基于深度学习的网络入侵检测技术基于深度学习的网络入侵检测技术通过使用深层次的神经网络结构来自动学习和提取网络流量中的特征，并进行入侵行为的分类和预测。

相比传统方法，基于深度学习的入侵检测技术具有以下优势：1. 自动学习特征：深度学习能够从原始的网络流量数据中自动学习到最具代表性的特征，无需依赖于繁琐的特征工程。

2. 多层次表示：深度学习模型可以通过多层次的神经网络结构来学习不同层次的特征表示，从而提高检测的准确性和泛化能力。

3. 强大的泛化能力：深度学习通过大规模的训练数据和优化算法，能够捕捉到网络入侵中的隐含规律和关联性，具有较强的泛化能力。

4. 实时响应：基于深度学习的入侵检测技术能够实时处理大规模的网络流量数据，并快速准确地检测到入侵行为，提高了网络安全的响应速度。

四、基于深度学习的网络入侵检测模型基于深度学习的网络入侵检测模型可以分为两类：基于传统神经网络的模型和基于卷积神经网络的模型。

1. 基于传统神经网络的模型：传统的神经网络模型如多层感知机（Multi-Layer Perceptron, MLP）和循环神经网络（Recurrent Neural Network, RNN）可以应用于网络入侵检测任务。

Abstract—With the development of computer networktechnology,the risk of network intrusion also has greatly increased.But the traditional Encryption and firewall technology can’t meet the security need today. So the intrusion detection technology is being developed quickly in recent years,which is a new dynamic security mechanism in a set of detecting, preventing the behavior of system intrusion.Unlike the traditional security mechanism,intrusion detection has many features such as intelligent surveillance,real-time detection,dynamic response and so on.And in a sense,intrusion detection technology is a reasonable supplement of firewall technology.Index Terms—network security,intrusion detectionI.THE N ECESSITY OF I NTRUSION D ETECTIONWith the development of computer network technology,the destructive effects and losses of network attacks also have greatly increased.The network security is becoming more and more complicated,the traditional and passive Encryption and firewall technology can’t against the diverse and complex attacks. Recently,intrusion is very easy to many computer competent,and there are many intrusion courses and tools.So it’s of great significance and necessity to develop the Intrusion Detection System.II.T HE DEVELOPMENT OF I NTRUSION D ETECTION S YSTEM In 1980,James P.Anderson wrote a book named “Computer Security Threat Monitoring and Surveillance”,which explained the concept of Intrusion Detection in detail ,the threat classifications of computer system and the idea of monitoring intrusion activities using auditing tracking data.From 1984 to 1986,Dorothy Denning and Peter Neumann worked out a real-time Intrusion Detection System model--IDES.In 1990,L.Heberiein and some other people developed NSM(Network Security Monitor),which made a great development of IDS and has formed IDS based on network and IDS based on host computer.After 1988,America began to study DIDS(Distributed Intrusion Detection System),which became a milestone-product of the history of IDS.From 1990s to now,the research and development of Intrusion Detection System has made great process in intelligence and distribution.III.DEFINITION AND WORK-FLOWA.DefinitionIntrusion Detection is the discovery of intrusion behaviors.It collects and analyses the data from some key points in computer networks or computer systems,and checks up whether there exists behaviors violating security policies or attacking signs in networks or systems.Then,it can sound the alarm or make corresponding response in time to ensure the confidentiality and availability of system resource.B.Work-flow1)Information GatheringThe first step of intrusion detection is information gathering.And the information include the contents of network traffic,the states and behaviors of the the connection of users and activities.2)Signal AnalysisFor the information gathered above,there are three technologies to analyze them:pattern matching,statistical analysis and integrity analysis.3)Real-time Recording,Alarming and Limited Counterattack The fundamental goal of IDS is to make corresponding response to the intrusion behaviors,which includes detailed logging,real-time alarm and limited counterattack resource.IV.G ENERIC M ODEL AND F RAMEWORKA.The Generic ModelIn 1987,Denning proposed a abstract generic model of intrusion detection. In figure 1 below,the model mainly consists of six parts:subjects, objects, audit records,activity profiles,exception records and activity rules.Intrusion Detection in Network SecurityZhang San 201221xxxxMaster of Computing, xxx xx xx University,Wuhan,China**************figure 1B.The FrameworkIn recent years,the market of intrusion detection systems develops very quickly,but the lack of the universality of different systems hinders the development of intrusion detection ,because there is no corresponding general standard. In order to solve the universality and coexistence problem between different IDS,America Defense Advanced Research Projects Agency(DARPA) started to make CIDF (Common Intrusion Detection framework ,the common intrusion detection framework) standard,and they tried to provide a fundamental structure which allows intrusion detection,analysis and response system.Finally the security laboratory in the University of California at Davis completed CIDF standard.The main purpose of the framework is:1)IDS component sharing, that is a component of the IDS can be used by another IDS.2)Data sharing,that is,all kinds of data in IDS can be shared and transferred between different systems by the standard data format provided.3)To improve the universality standards and establish a set of development interface and support tools.The CIDF expounds the generic model of a intrusion detection system,it will classify a IDS into the components below:a)Event GeneratorsGetting events from the whole computing environment and providing them to the other parts of the system.b)Event AnalyzersAnalyzing the data obtained and producing the analytic results.c)Response UnitsIt is the functional unit which responses to the analytic results.It can make a strong reaction such as cutting off the connection or changing the attribute of files,or just a simple alarm.d)Event DatabasesIt is a collective name of the place where all kinds of data is stored.It can be a complex database or a simple text file.V.T HE CLASSIFICATION OF INTRUSION.A.Intrusion Base on the HostUsually,it makes use of the operating system audit, track log as a data sources,for detecting intrusion,some will also interact with the host system to get the information that doesn’t exist in the system log.This type of detection system does not need additional hardware.It's insensitive to network traffic and have high efficiency,and it can accurately locate the invasion and respond in a timely manner.However,it will occupy the host resources and rely on the reliability of the host.At the same time it can only detect limited types of attacks.Also,it can't detect network attacks.B.Intrusion Base on the NetworkBy passively listening to the transmission of the original traffic on the network,it processes the network data and draws useful information from it,and then recognizes attacks by matching with the known attack signatures or being compared with the normal network behavior prototype.Such detection system does not rely on the operating system as detection resources,and can be used to different operating system platforms. It equips with simple configurations and does not need any special auditing and logging mechanism.And it also can detect protocol attacks, the attacks of specific environment and so on.But it only can monitor the activities after the network ,and cannot get the real-time status of the host system which shows its poor accuracy.Most of the intrusion detection tools are based on the network intrusion detection system. C.Di stributed IntrusionThis kind of intrusion detection systems are generally distributed structure, composed of multiple components,which using intrusion detection based on the host on the key hosts while using intrusion detection based on the network on the network key point.At the same time,it analyses the audit log from the host system and the data traffic from network to detect whether a protected system is attacked.Thees three kinds of intrusion detection systems above have their own advantages and disadvantages,they can complement each other.A complete intrusion detection system (IDS) must be a distributed system based on the host and the network,but at present there is no perfect IDS system as a model.As a matter of fact,the commercial products is rarely based on only a kind of intrusion detection model.The intrusion detection system implemented in different structure and different technique have different advantages and disadvantage ,and each of them can be only used to a particular environment.VI.THE METHODS OF I NTRUSION D ETECTIONAt present,there are many methods of intrusion detection in IDS.There are some common methods below:A.Statistical MethodThe statistical method is a commonly used method of intrusion detection system in production.And it is normally used to Anomaly Detection.The statistical method is a relatively mature intrusion detection method ,it makes the intrusion detection system identify the abnormal activities which are different from the normal activities by learn their main daily behaviors.B.Expert SystemUsing the expert system to detect the intrusion is usually aimed at the diagnostic intrusion.The so-called rules,that isknowledge.the establishment of expert system depends on the Completeness of the knowledge base,and the Completeness of the knowledge base depends on the completeness and real - time of the audit.C.Keystroke MonitorKeystroke Monitor is a simple method to detect intrusion by analyzing the pattern of users' keystroke sequence.It can be used to the intrusion detection based on the host.The disadvantages of this technique is very obvious.To begin with,the batch processing or the shell program can directly call attack command sequence instead of keystroke.Secondly,the operating systems generally do not provide keystroke detection interface,so it need extra hook function to monitor the keystrokes.D.Model-based MethodThe attackers often use a certain behavioral sequence in attacking a system such as guessing the password,this kind of behavioral sequence forms a model with a certain behavior syndrome.According to this,it can detect harmless attack attempts.The advantage of this method lies in its sound uncertainty reasoning.Model-based intrusion detection method can monitor only some of the major audit event, after these events,it will start to record detailed audit, so as to reduce the processing load of audit events.E.Pattern MatchingThe intrusion detection method base on pattern matching encodes the known intrusion feature into the pattern which coincides with the audit records.When the new audit event occurs,this method will find the matched intrusion pattern.VII.I NTRUSION D ETECTION T ECHNOLOGY Intrusion Detection Technology is one of the kernel technologies in security auditing,which is also an important component of the network security protection.There are two main techniques of intrusion Detection--Anomaly Detection and Misuse Detection.A.Anomaly DetectionAnomaly Detection can be classified into static Anomaly Detection and dynamic Anomaly Detection. Static Anomaly Detection retains a character representation or backup of the static part of the system.When the static part of the system is different from former character representation or backup during a detection, it turns out that the system was attacked.What the dynamic Anomaly Detection aims at is the behavior.A kind of the files which describe the normal behaviors of systems and users should be established before the detection. When the difference between the current behavior and the normal behavior recorded in the files exceeds the predefined standard,it turns out that the system was attacked.B.Misuse DetectionThe following list outlines the different types of graphics published in IEEE journals. They are categorized based on their construction, and use of color / shades of gray:Misuse Detection is mainly used to detect known measures of attack,which can judge whether the user’s behavior matches with the measure of attacks in the character lib.Obviously,Misuse Detection is of high accuracy.And its shortcomings also because of this feature.With the fast development of attack models,only if we add new models into the character lib can it make the system detect new measures of attack.VIII.T HE ARCHITECTURE OF INTRUSION DETECTION Throughout the history of the development of intrusion detection technology, the architecture mainly consists of the following several forms:A.Integrative StructureIn the early development of intrusion detection system,IDS uses mostly single architecture.That is,all the work,including the collection and analysis of the data,are completed on a single host by a single program.The advantage of this technique is that the centralized processing of data makes it more accurate to analyze possible intrusions.The disadvantages is that the centralized processing of data makes the host a bottleneck of network security.When it fails or is attacked,there will be no guarantee for the whole security of network.In addition,this way of data gathering is very difficult to achieve for large network.The drawbacks of concentrated Intrusion detection system mainly lie in:1)Poor expansibility.Processing all the information on a single host limits the scale of monitored network2)Hard to reconfigure and add new features.The IDS usually needs to be restarted when it needs to give effect to the new settings and functions .3)Central analyzer is a single fail-point.If it is destroyed by invaders,then the whole network will lose the protection.B.Distributed StructureWith the development of intrusion detection products applied to the enterprises day by day,distributed technology also integrates into the intrusion detection products.This kind of distributed structure uses the method that multiple agents separately detect intrusion in various parts of the network,and process the possible intrusions.Its advantage is that it can monitor data well and detect the internal and external intrusion behavior.But this technology cannot completely solve the shortcomings of the centralized intrusion detection.Since the current network is generally hierarchical structure,but the pure distributed detection requires that the agent distribution should be in the same layer.If the layer is too low,it cannot detect the intrusion aimed at the upper layer.If the layer is too high,it cannot detect the intrusion aimed at the lower layer.At the same time ,since each agent doesn't have the whole cognition of network data,so it cannot accurately judge some certain attacks and is easy to be attacked by attacks aimed at IDS,such as IPsegmentation .C.L ayered StructureBecause the restriction of single host resources and the distribution of attack information,many detection units should be processed together in high-layer attacks.But the detection unit is generally intelligent agent.Therefore the architecture of recent intrusion detection begins to think about using layered hierarchical to detect intrusion which is becoming more and more complex,as shown in Figure 2.Figure 2In this kind of system,the lowest layer agent is responsible for the collection of all the basic information,and then it simply processes these information and complete simple judgment and processing.Its characteristics are fast speed, high efficiency and large data volume,but it can only detect some simple attacks.The middle layer agent is a link between the one before it and the one after it. On the one hand,it can accept and process the data processed by the lower nodes.On the other hand,it can contact with upper layer,judge and output the results to the upper nodes which enhances the scalability of the system.The top node is mainly responsible for the management and coordination on the whole.In addition,it can dynamically adjust the node layer figure according to the requirement of environment in order to implement the dynamic configuration of the system.IX.THE DEVELOPMENT DIRECTION OF INTRUSION DETECTION With the rapid development of network technology, intrusion technology also has developed day by day.The switching technology and the data communication through encrypted channels make the methods of network data gathering defective.Moreover the huge traffic brings new requirement for data analysis the development direction of intrusion detection technology mainly include the following: A.Distributed Intrusion Detection ArchitectureThe traditional IDS is limited to a single host or network architecture,but for the heterogeneous system and large scale network detection is obviously insufficient,and different IDS systems cannot work together.Therefore, it is necessary to develop distributed intrusion detection architecture.B.Application Layer Intrusion DetectionMany semantics of intrusion detection only can be understood by the application, but the current IDS can only detect the general protocol such as Web,it can not deal with other application systems such as Lotus Notes, the database system.C.Intelligent Intrusion DetectionIntrusion methods become more and more diversified and comprehensive,although there are the intelligent body,neural network and genetic algorithm which applied in intrusion detection technology now,but these are just some tentative research work,we still need further research on the Intelligent IDS to improve its abilities.D.The Auto-protection of Intrusion Detection SystemOnce the intrusion detection system is controlled by invaders,the security of the whole system will face the danger of collapse.So how to prevent invaders from undermining the functions of intrusion detection system will continue for a long time.E.The Evaluating Method of Intrusion DetectionThe user needs to evaluate many IDSs, the evaluation indexes include the IDS detection range,the occupation of the system resources and the the reliability of itself.Designing the stage for evaluating or testing the IDS to implement the detection of various IDS systems has been called another important research and development field of the current IDS.X.C ONCLUSIONWith the network security issues have become increasingly salient,the development of intrusion detection has greatly increased ,and it has already begun to play a key role in various environments. Predictably, the development of intrusion detection technology has important significance and profound influence for network application.And the future development direction of IDS will be intelligent distributed intrusion detection system.How to develop self - owned intellectual property IDS will become an important task in the field of information security for China.R EFERENCESJournal Article:[1]YanHua Wang,ZhiQiang Ma and Lu Zang,”The Application andResearch of the Intrusion Detection Technologies in Network Security ”.[2]Ran Zhang,”The Research of the Intrusion Detection Technologies ”.[3]Fei Feng,”The Network Security and Intrusion Detection ”. Reference Website:/view/20936.htm?adapt=1。

通信网络技术ＤＯＩ：１０．１９３９９／ｊ．ｃｎｋｉ．ｔｐｔ．２０２３．０２．０５７基于机器学习的网络入侵检测方法研究孙玉坤1，韩聿彪2（1.中化学交通建设集团运营管理（山东）有限公司，山东济南250014；2.山东省信息技术产业发展研究院，山东济南250014）摘要：考虑到传统方法在检测网络入侵数据时存在准确率、检测率和F1分数低的问题，提出了基于机器学习的网络入侵检测方法。

根据网络入侵数据传输量的变化情况，估计出网络入侵数据的传输量，通过初始化机器学习算法的参数，获得网络入侵数据提取结果的概率矩阵，将网络入侵数据检测的特征向量作为机器学习算法的输入，构建网络入侵检测模型，实现了网路入侵的检测。

实验结果表明，所提方法在检测网络入侵数据的过程中可以有效提高检测的检测率和F1分数，具有更好的检测性能。

关键词：机器学习算法；网络入侵；特征提取；传输量；检测方法；观测向量Research on Network Intrusion Detection Method Based on Machine LearningSUN Yukun1, HAN Yubiao2（1.Sinochem Transportation Construction Group Operation Management (Shandong) Co., Ltd., Jinan 250014, China;2.Shandong Electronic Information Products Inspection Institute，Jinan 250014, China）Abstract: Considering the low accuracy, detection rate and F1 score of traditional methods in detecting network intrusion data, a network intrusion detection method based on machine learning is proposed. According to the change of network intrusion data transmission, the transmission amount of network intrusion data is estimated. By initializing the parameters of machine learning algorithm, the probability matrix of network intrusion data extraction results is obtained.The feature vector of network intrusion data detection is used as the input of machine learning algorithm to build a network intrusion detection model, and network intrusion detection is realized. The experimental results show that the method in this paper can effectively improve the detection rate and F1 score in the process of detecting network intrusion data, and has better detection performance.Keywords: machine learning algorithm; network intrusion; feature extraction; transmission quantity; detection method; observation vector0 引 言互联网技术不断发展的过程中，经常会遭到网络入侵，因此对网络入侵数据和行为进行检测，可以保证网络的安全性[1-3]。

科技广场2010.50引言随着互联网的广泛应用和普及，网络安全也越来越受到社会的关注。

由于协议、程序设计语言、网络、操作系统或其他应用软件在设计过程中的缺陷，编码过程中的漏洞以及不恰当的配置、懒散的维护和不良的使用习惯使得我们所使用的信息系统在看似强大的功能下面充满了脆弱的漏洞。

只要人们有意或者无意的触发了它们，就有可能造成巨大的损失。

因此，研究网络安全具有重要的意义。

入侵检测技术是继“防火墙”、“数据加密”等传统安全保护措施后新一代的安全保障技术，这种技术不仅能够防止外部的入侵，还能够检测内部的非法使用者,具有比较实际的意义和应用价值。

1网络入侵检测的研究现状入侵检测的目的是监控网络中的资源，检测异常行为和对系统的滥用行为。

这种观念被真正纳入到整个信息安全的构架中，是近十几年才开始的。

入侵检测的概念是1980年由Jam es A nder son's首次提出的。

在他的论文里首次提出了审计踪迹中含有对于跟踪滥用和理解用户行为十分有价值的重要信息，由此开始了对滥用和特定用户事件的“检测”。

入侵检测概念的提出成为了日后入侵检测系统设计和发展的基础，是基于主机的入侵检测和入侵检测系统的开端。

此后，D or ot hy D enni ng博士的研究工作又将入侵检测系统向前推进了一大步。

D enni ng博士的研究工作主要是基于用户行为的入侵检测系统，她的重要著作(A n I nt r usi on D et ect i on M odel)给出了开发一套商用入侵检测系统所必需的知识，成为了后来大多数I D S发展遵循的基础。

与此同时，美国加州U C D avi s大学的研究人员也在致力于入侵检测系统的研究。

他们设计了一种将审计数据与定义好的模型进行比较的分析审计数据的新方法，后来的分布式入侵检测系统(D I D S)中就用到了这种技术。

D I D S的出现将现有的入侵检测解决方案从跟踪客户机扩展到了对服务器的跟踪，使I D S的方法又进入了一个新阶段。

复杂网络社区发现与异常检测技术研究随着互联网的快速发展，人们之间的联系日益紧密。

在这个全球化的时代，网络已成为人们日常生活交流的重要平台。

复杂网络作为网络中的一个重要组成部分，具有复杂的结构和多样的连接方式，例如社交网络、电子邮件网络、蛋白质相互作用网络等。

研究复杂网络社区发现和异常检测技术，有助于我们更好地理解网络结构，并发现其中存在的隐藏规律和异常现象。

复杂网络社区发现是指将网络中相互连接紧密、内部结构相对独立的节点集合识别出来。

社区结构的发现有助于我们了解网络中节点之间的关系模式，可以帮助我们预测节点的行为、分析信息的传播路径等。

目前，有许多方法被提出用于社区发现，例如基于连接的方法、基于节点相似度的方法和基于模块性的方法等。

基于连接的方法主要是通过分析节点之间的边权重来划分社区。

其中，最为著名的方法是Girvan-Newman算法，该算法通过不断删除网络边上的介数中心性最高的边来划分社区。

然而，这类方法在处理大规模网络时效率较低。

为了解决此问题，研究人员提出了许多快速有效的社区发现算法，例如Louvain算法和Label Propagation算法等。

这些算法通过优化社区内部的连接强度和社区之间的连接弱度来划分社区，以实现高效的社区发现。

基于节点相似度的方法主要是通过度量节点之间的相似度来划分社区。

例如，通过计算节点之间的相似度矩阵，可以使用层次聚类或谱聚类等方法来将相似的节点聚集在一起形成社区。

此外，还有一些基于内容的方法，通过分析节点的属性值来划分社区。

例如，在社交网络中，可以根据用户的兴趣爱好来划分用户社区。

这些方法可以有效地挖掘网络节点之间的隐含模式，并找出潜在的社区结构。

除了社区发现，异常检测在复杂网络研究中也起着重要的作用。

异常节点是指与其他节点不同的节点，其行为或属性与网络中其他节点存在较大差异。

异常节点的存在可能对网络的正常运行产生不良影响，因此需要进行及时发现和处理。

异常检测技术可以帮助我们发现这些异常节点，并采取相应措施以维护网络的稳定性。

文章编号:1007-757X(2020)11-0093-05基于深度学习的网络入侵防御技术研究周路明X郑明才2(1.湖北省肿瘤医院信息统计科，湖北武汉430079；2.江西软件职业技术大学网络工程学院，江西南昌330041)摘要：随着互联网技术的快速发展，网络用户的数量激增，仅在4内就有着接近一半人“的用户。

如此大规模的网络给网络攻击者带来了巨大的•在利益，也给网络入侵的防御提出了更高的要求。

传统的网络防御手段因其仅能针对特定的网络入侵行为进行甄别，无法智能化、动态化的应对复杂的网络入侵行为已经逐渐难以满足当下需求。

因此，针对网络入侵防御的问题，提出了一种基于深度学习的入侵检测手段，并阐述了入侵防御系统的设计方法$首先，介绍了目前网络入侵防御所KV；严峻形势；其次，阐述了网络入侵检测与网络入侵防御中的框架性问题；再次，详细阐述了基于深度学习的入侵检测算法的设计方法，并阐述了入侵防御设计的要点，最后，入侵检测算法的有效性和准确性通过仿真进行了验证。

仿真结果表明所设计的算法能够对复杂的入侵数据具有较高的威胁检测准确度，测试数据集对按照公式计算最终测得的检测率为95.22%和误报率为0.67%$关键词：入侵防御；深度学习；神经网络；入侵检测中图分类号：TP242.3文献标志码：AResearch on Network Intrusion Prevention Technology Based on Deep LearningZHOU Luming1，ZHENG Mingcai21.DepartmentofInformationStatistics，HubeiCancer Hospital，Wuhan430079，China；work Engineering College,Jiangxi Software Vocational and Technical University,Nanchang330041,China) Abstract:With the rapid development of Internet technologies,the number of network users has increased rapidly.In China, therearenearlyhalfofthepopulationofusers.Suchalargescalenetworkhasbroughthugepotentialbenefitstonetworkat-tackers,and puts forward higher requirements for the defense of network intrusion.Traditional network defense means can on-yscreenspecificnetworkintrusionsandcannotdealwithcomplexnetworkintrusionsinte l igentlyanddynamica l y.Therefore, tisincreasinglydi f iculttomeetcurrentneeds.Aimingattheproblemofnetworkintrusionprevention,thispaperproposesan ntrusiondetection methodbasedondeeplearning,andexpoundsthedesign methodofintrusionpreventionsystem.Firstly, thepaperintroducestheseveresituationofnetworkintrusionprevention.Secondly,theframeworkofnetworkintrusiondetec-ionandnetworkintrusionpreventionisdiscussed.Thirdly,the design method of intrusion detection algorithm based on deep earningiselaboratelyexplained,andthekeypointsofintrusionpreventiondesignareexpounded.Fina l y,thee f ectiveness andaccuracyofintrusiondetectionalgorithmareverifiedthroughthesimulation.Simulationresultsshowthattheproposedal-gorithm has a high threat detection accuracy for complex intrusion data,and the detection rate of the test data set calculated ac­cording to the formula is95.22%and the false alarm rate is0.67%.Keywords:intrusionprevention；deeplearning；neuralnetworks；intrusiondetection0引言2000年以后，我国的互联网技术在政策支持以及实际需求的双重助推下迎来了发展的高峰&物联网、大数据以及云计算等网络技术随之出现，通过技术变革的力量改善着人民大众的生产生活，有效提高社会资源的利用效率(1)&互联网的优势来自于其互联性与开放性，以网络服务为核心将现有的社会资源进行优化配置⑵&但任何的开放均有着一定程度的数据安全威胁，互联网更是因其海量的数据吞吐和服务人群的庞大而时刻收到巨大的安全威胁，这也给网络安全的维护提出了前所未有的挑战⑶&按照国家互联网信息中心的不完全数据统计，截至2018年中期中国网民数量已经超过了 6.6亿，从2014年至2018年每年以约2〜3千万的数量稳步增长⑷。

RESEARCH ON INTRUSION DETECTION IN WLANABSTRACTSince 802.11 protocol is presented, it has been verified that, WEP(Wired Equivalent Privacy) ,the foundation of security mechanism, is weakly vulnerable. To improve the security of WLAN,IEEE has put forwarded series of protocols ,such as WPA，IEEE 802.11i and so on. However, these protocols enhance the securities on encipher and authentication of WLAN. As the attack on WLAN becomes more complicated, to strengthen the security of WLAN, it is necessary to introduce intrusion detection system .There are two problems existed in intrusion detection on WLAN. First, the vulnerabilities detected are not so many, and the attacks found are not so easily to simulated, which can both be owed to that the research on attack is deficient. Second, there are no systems specially for WLAN intrusion detection. IEEE 802.11 protocol defines standards of Physic and MAC layer, so research on WLAN intrusion detection should be refined to the two layers. However, the methods of intrusion detection presented by some references cannot be supported by experiments, and most of intrusion detection systems based on Network Layer or above. As a result, it may lead to low efficiency and increase the cost of network layer.According to CIDF Frame，an intrusion system comsists of events collector,events analysis and event response unit. Data sources,collected by the events collectror,is the foundation of detecting and response.To improve the detecting efficiency,data sources should be learned necessary first.In the paper, the attacks on WLAN are studied according to the vulnerabilities of 802.11 protocol, such as illegal AP rogue, MAC rogue, denial of service, which happens more frequently in WLAN. The characteristic and principles of these attacks are learned, and DoS attacks are simulated by Lorcon functions, which sends control frames and management frames to WLAN to realize.Then an intrusion detection system based on MAC Layer is presented. In Physical Layer, the control frames and management frames are captured by Libpcap, then detect the attacks by characteristic match. To distinguish from former systems, BM algorithm is applied during characteristic matching. On theoption of detection methods, misuse methods is selected, as it is difficult to set up the anomaly modes, owing to the dynamic structure of WLAN. Followed by the experiment, some DoS attacks,disassorciaton and RTS/CTS attacks are successfully detected. Since the modes of WLAN intrusion detection system based on MAC layer, the environments of experiment and the capture of MAC frames are similar, so if central processing unit is fulfilled by the suitable rule case, the range of detection can be extended to other 802.11 attacks.Keywords: WLAN，802.11 Protocol，MAC Attack，Intrusion Detection缩略语WLAN Wireless Local Area Network 无线局域网WEP Wired Equivalent Privacy 有线等效保密DSSS Direct Sequence Spread Spectrum 直接序列扩频FSSS Frequency Hopping Spread Spectrum 跳频扩频MAC Media Access Control 媒体接入控制OFDM Orthogonal Frequency Division Multiplexing 正交频分复用BSS Basic Service Set 基础服务集DS Distribution System 分发系统IBSS Independent BSS 独立基本服务集AP Aceess Point 接入点IDS Intrusion Detection System 入侵检测系统SSID Service Set Identifier 服务区标识符WPA Wi-Fi Protected Access Wi-Fi网络安全存取EAP Extensible Authentication Protocol 扩展认证协议CRC Cyclic Redundancy Check 循环冗余校验TKIP Temporal Key Integrity Protocol 临时密钥完整性协议MIC Message Integrity Check 信息完整性检查MPDU MAC Protocol Data Uint 媒体访问控制协议数据单元RSN Robust Secure Networks 健壮安全网络WAPI WLAN Authentication and Privacy InfrastructureWAI WLAN Authentication Infrastructure 无线局域网认证机制WPI WLAN Privacy Infrastructure 无线局域网加密机制ASU Authentication Service Unit 认证服务单元DoS Denial of Service 拒绝服务SIFS Short Interframe Space 短帧间间隔DIFS DCF Interframe Space 分布式协调功能帧间间隔RTS Ready to Send 准备发送CTS Clear to send 允许发送CIDF Common Intrusion Detection Framework 公共入侵检测框架上海交通大学学位论文原创性声明本人郑重声明：所呈交的学位论文，是本人在导师的指导下，独立进行研究工作所取得的成果。

2020年第7期信息与电脑China Computer & Communication计算机工程应用技术卷积神经网络在入侵检测方面的应用赵 欣（华北电力大学，北京 102206）摘 要：入侵检测是电力监控网络安全领域的重要研究方向。

目前，比较流行的检测技术是使用传统的机器学习算法来训练入侵样本，从而获得入侵检测模型。

无线网络流量攻击特性的多样化导致传统入侵检测技术存在误报率高、检测效率低、泛化能力差的问题。

深度学习是一种高级技术，可自动从样本中提取特征，凭借自身的优越性已被广泛应用于入侵检测，能有效提高检测恶意入侵行为的能力。

基于此，重点分析了卷积神经网络在入侵检测方面的应用。

关键词：卷积神经网络；入侵检测；深度学习；电力网络安全中图分类号：TP393.08；TP183 文献标识码：A 文章编号：1003-9767（2020）07-023-03The Application of Convolutional Neural Network in Intrusion DetectionZhao Xin(North China Electric Power University, Beijing 102206, China)Abstract: Intrusion detection is an important research direction in the field of power monitoring network security. At present,the popular detection technology is to use the traditional machine learning algorithm to train the intrusion samples, so as to obtain the intrusion detection model. The diversity of wireless network traffic attack characteristics leads to the problems of high false alarm rate, low detection efficiency and poor generalization ability of traditional intrusion detection technology. Deep learning is an advanced technology, which can automatically extract features from samples. With its own advantages, it has been widely used in intrusiondetection, and can effectively improve the ability to detect malicious intrusion. Based on this, the application of convolutional neuralnetwork in intrusion detection is analyzed.Key words: convolutional neural network; intrusion detection; deep learning; power network security作者简介：赵欣(1995—)，女，河北宁晋人，硕士研究生在读。

基于强化学习的网络入侵检测与响应技术研究Title: Research on Network Intrusion Detection and Response Techniques based on Reinforcement LearningAbstract:With the rapid development of the internet and the increasing complexity of network security threats, network intrusion detection and response have become crucial for maintainingthe security and integrity of computer systems. Traditional signature-based intrusion detection systems (IDSs) have limitations in detecting unknown or novel attacks. Therefore, this paper investigates the application of reinforcement learning (RL) techniques in network intrusion detection and response.Keywords: Reinforcement learning, network security, intrusion detection, response techniques.1. Introduction:Network security breaches can lead to severe consequences, including data theft, system damages, and financial losses. The constantly evolving threat landscape necessitates the development of more advanced intrusion detection and response techniques. This paper aims to explore the potential of reinforcement learning in enhancing network security, particularly in the field of intrusion detection and response.2. Network Intrusion Detection Systems:2.1 Signature-based IDSs:Signature-based IDSs rely on pre-defined patterns orsignatures to detect known attacks. However, they are ineffective against zero-day attacks and cannot adapt to new attack variations.2.2 Anomaly-based IDSs:Anomaly-based IDSs analyze network traffic or behavior patterns to identify deviations from normal activities, which may indicate an intrusion. While capable of detecting unknown attacks, they often suffer from high false positive rates.3. Reinforcement Learning:3.1 Overview of RL:Reinforcement learning is a branch of machine learning that focuses on making decisions based on interactions with an environment and received rewards. RL algorithms aim to maximize a cumulative reward over time by learning optimal policies.3.2 Components of RL:This section discusses the key components of RL, includingthe agent, environment, state, action, reward, and policy. Reinforcement learning algorithms such as Q-learning and Deep Q-Networks (DQN) are briefly explained.4. Reinforcement Learning in Network Intrusion Detection: 4.1 State Representation:The selection of appropriate features and theirrepresentation in RL is critical for effective intrusion detection. This section discusses potential state representations, including packet-level features, flow-level features, and high-level behavioral features.4.2 Action Space:The action space in network intrusion detection can include actions such as labeling an observed data point as normal, malicious, or unknown. RL models need to explore the networkspace efficiently to accurately classify network traffic.4.3 Reward Design:This section investigates various reward design strategies, including accuracy-based rewards, efficiency-based rewards, and penalty-based rewards. The choice of appropriate rewards plays a significant role in RL model performance.5. Reinforcement Learning in Network Intrusion Response: 5.1 Action Selection for Incident Response:Reinforcement learning can be employed in incident responseto autonomously determine appropriate actions upon detecting a network intrusion. Various actions, such as blocking traffic, escalating security levels, and reconfiguring network settings, can be explored.5.2 Adaptive Intrusion Response:This section examines how reinforcement learning can continuously learn and adapt its response strategies based on the changing network security landscape. The importance of updating RL models with new attack samples is emphasized.6. Challenges and Future Directions:6.1 Imbalanced Data Distribution:Real-world network intrusion datasets are often imbalanced, making intrusion detection challenging. This section proposes techniques to address this issue through cost-sensitive learning and data augmentation.6.2 Sample Efficiency and Scalability:Reinforcement learning algorithms often require a large number of interactions to converge, which may be time-consuming and impractical in network intrusion detection. This section explores methods to improve sample efficiency and scalability, such as transfer learning and meta-learning.7. Conclusion:This paper presents a comprehensive overview of the application of reinforcement learning techniques in network intrusion detection and response. The advantages andpotential challenges of RL in this field are highlighted, and future research directions are suggested.。

基于机器学习的网络入侵检测方法研究Title: An Investigation on Machine Learning-Based Network Intrusion Detection MethodsAbstract:With the ever-increasing reliance on computer networks for various applications, the need for effective network security measures has become paramount. Network intrusion detection systems play a crucial role in safeguarding network infrastructures from malicious activities. Traditional signature-based intrusion detection systems are limited in their ability to detect new and unknown attacks. To overcome these limitations, machine learning techniques have gained prominence in recent years. This paper aims to investigate and analyze various machine learning-based methods used for network intrusion detection.1. Introduction:The introduction provides background information on the significance of network intrusion detection systems and their limitations. It provides an overview of the objectives of the paper and outlines the structure of the subsequent sections.2. Traditional Network Intrusion Detection Systems:This section discusses the shortcomings of traditional signature-based intrusion detection systems, such as their reliance on predefined attack patterns and inability to detect unknown attacks. It also presents an overview of anomaly-based intrusion detection systems as an alternative approach, which forms the basis for machine learning-based methods.3. Machine Learning Techniques in Network Intrusion Detection:This section explores various machine learning algorithms and techniques used for network intrusion detection. It providesa detailed explanation of popular algorithms such as decision trees, support vector machines, artificial neural networks, and ensemble methods. Additionally, it discusses the pre-processing steps involved in feature selection and dimensionality reduction.4. Evaluation Metrics and Datasets:To evaluate the performance of machine learning-based methods, this section discusses commonly used evaluation metrics, such as accuracy, precision, recall, and F1 score. It alsopresents and describes widely used datasets for training and testing intrusion detection models, such as the NSL-KDD dataset.5. Implementation and Experimental Results:This section describes the implementation of machinelearning-based intrusion detection models using a selected dataset. It presents the experimental setup, includingfeature extraction, model training, and testing procedures. The results are analyzed and compared in terms of various performance metrics to evaluate the effectiveness ofdifferent machine learning techniques.6. Challenges and Future Directions:This section discusses the challenges and limitations of machine learning-based network intrusion detection systems.It identifies issues such as the imbalance of dataset classes, adversarial attacks, and model interpretability. Additionally, it suggests potential research directions to overcome these challenges and improve the effectiveness of intrusiondetection systems.7. Conclusion:The conclusion summarizes the findings from the investigation and emphasizes the importance of machine learning-based methods in network intrusion detection. It highlights the benefits and limitations of these methods and provides suggestions for future research in this domain.。

目录摘要 (3)Abstract (4)第1章绪论 (5)1.1课题的研究背景和意义 (5)1.2入侵检测的国内外现状分析 (5)1.3本文的研究内容和主要创新点 (6)1.4论文内容安排 (6)第2章入侵检测技术 (8)2.1入侵检测的概念 (8)2.2入侵检测的功能 (8)2.3入侵检测的组成与结构 (8)2.4现有的入侵检测分析技术 (10)2.4.1静态配置分析 (10)2.4.2异常检测技术 (10)2.4.3误用检测技术 (11)2.4.4入侵检测的发展方向 (13)第3章小波神经网络 (15)3.1小波分析理论 (15)3.1.1小波分析方法的起源与提出 (15)3.1.2小波分析的应用 (15)3.1.3小波变换 (16)3.2人工神经网络理论 (18)3.2.1神经网络的基本理论 (18)3.2.2神经元的结构模型 (18)3.2.3神经网络的一般框架 (19)3.3小波神经网络理论 (19)3.3.1小波神经网络的基本结构 (19)3.3.2小波神经网络学习算法 (20)3.3.3小波神经网络训练方法 (20)3.3.4 BP网络的训练及算法 (21)3.3.5小波网络与BP算法仿真对比 (22)第4章小波神经网络在入侵检测中的应用 (25)4.1入侵检测系统设计目标 (25)4.2小波神经网络入侵检测模型的设计 (26)4.3检测系统工作模式的应用 (27)4.4仿真试验与结果 (30)结论 (35)致谢............................................. 错误！未定义书签。

参考文献 (37)摘要现今社会,Internet已经受到人们越来越广泛的使用。

各种网络服务，电子银行、电子商务、QQ聊天等已经成为人们生活中重要组成部分。

各种各样的网络攻击也随着不断地增加。

人们已经深刻认识到了保证网络安全的重要性。

入侵检测作为一种主动的信息安全保障措施，能有效地弥补了传统安全防护技术的缺陷。

基于特征选择的网络入侵检测模型研究李文【摘要】In order to effectively extract features from the malicious data collected to analyze,security network system security and stability,the need for network intrusion detection model is studied.But the current approach is to use genetic algorithm to find out the characteristics of the network intrusion subset of recycled for further selection of particle swarm optimization (pso),find out the optimal feature subset,finally using extreme learning machine classifying network intrusion,but this method has the problem of accuracy is low.Therefore,proposes a network intrusion detection methods based on feature selection.This method firstly in order to enhance optimal performance as the goal to feature selection of network intrusion detection,combined with analysis of characteristics of feature selection using the attributes of the Fisher than feature subset evaluation function is constructed,and combining with the feature subset of calculated results of evaluation function fdr support vector machine (SVM) to network intrusion detection based on feature selection methods.Simulation experiments show that support vector machine (SVM) is used to analyse the network intrusion detection can effectively improve the accuracy of the speed of intrusion detection and intrusion detection.%为了有效从收集的恶意数据中选择特征去分析,保障网络系统的安全与稳定,需要进行网络入侵检测模型研究;但目前方法是采用遗传算法找出网络入侵的特征子集,再利用粒子群算法进行进一步选择,找出最优的特征子集,最后利用极限学习机对网络入侵进行分类,但该方法准确性较低;为此,提出一种基于特征选择的网络入侵检测模型研究方法;该方法首先以增强寻优性能为目标对网络入侵检测进行特征选择,结合分析出的特征选择利用特征属性的Fisher比构造出特征子集的评价函数,然后结合计算出的特征子集评价函数进行支持向量机完成对基于特征选择的网络入侵检测模型研究方法;仿真实验表明,利用支持向量机对网络入侵进行检测能有效地提高入侵检测的速度以及入侵检测的准确性.【期刊名称】《计算机测量与控制》【年(卷),期】2017(025)008【总页数】4页(P214-217)【关键词】特征选择;网络入侵;Fisher比;支持向量机【作者】李文【作者单位】广东科贸职业学院信息工程系,广州 510640【正文语种】中文【中图分类】TP393随着互联网技术应用的日渐广泛，互联网络的安全性以及可靠性越来越受到人们的关注[1]。

文章编号:1671-5977(2003)03-0030-02网络入侵防御系统(Intrusion Prevention Systems )介绍收稿日期:2003-04-15作者简介:李学勇(1977-),山东潍坊人,华北工学院计算机系硕士研究生。

李学勇1,屠全良2(1.华北工学院　计算机科学与技术系,山西　太原　030051)(2.太原大学　设备处,山西　太原　030009) 摘要:网络安全防御已成为世界范围内普遍关注的热门话题,与现有的网络安全解决方案诸如防火墙和入侵检测系统(I DS )相比较,网络入侵防御系统(IPS )能够以更全面、更智能的检测方法,使用户的网络免受多种类型的网络入侵与攻击。

关键词:入侵防御系统;入侵检测系统;七层交换;网络欺骗中图分类号:TP 393.07文献标识码:E 入侵主御系统(IPS )的功能是:能够检测已知类型和未知类型的网络攻击,并且成功地防御这些攻击。

现有的比较成熟的技术和产品,比如防火墙和入侵检测系统,能够部分完成入侵防御系统的功能,但是,它们都存在很多缺陷和不足。

比如防火墙无法阻挡通过以正常通道(http 、ftp 、sm tp 、pop3、VPN …)或由内部网络发动的网络攻击,入侵检测系统由于在算法上存在缺陷,经常产生误报和漏报,并且只能检测网络攻击而不能进行防御。

目前的网络安全解决方案还是基于边界网关防火墙结合入侵监测系统这种方式,特别是解决日益猖獗的拒绝式服务攻击(DoS ),也只能采用这种组合。

现在DoS 的攻击还没有根本有效的办法解决,所以发展的方向应该是在入侵检测系统的基础上开发入侵防御系统。

因此我们先来看看入侵监测系统的一些相关技术。

一、基于网络的入侵监测系统(Netw ork In -trusion Detection Sy stems )基于网络的入侵监测系统是指在网络的传输线路上安装类似于网桥的一个设备,它能够检测分析数据报,并且根据NIDS 定义的语法则对所分析的数据报进行处理,处理过的数据报交给防火墙过滤,从而减小网络的压力。