【作者】 李泽煜；

【导师】 王振东；

【作者基本信息】 江西理工大学 ， 计算机技术， 2023， 硕士

【摘要】 深度学习与入侵检测的结合已成为当今网络安全的热点话题,在面对海量、高维度、样本分布不均匀的网络流量时,入侵检测模型的首要任务便是快速准确地检测出攻击流量。基于此,本文将深度学习与入侵检测相结合,利用深度学习强大的表征能力来解决上述问题,本文主要从降低模型对标签数据依赖性、优化神经网络模型参数量等方面进行研究,构建快速且准确的网络入侵检测模型。本文的主要内容如下:(1)针对有监督学习需要使用大量人工标注的数据和无监督学习模型泛化能力较差的缺点,提出一种基于改进BYOL自监督学习的入侵检测模型(IBYOLIDS)。此模型采用无标签亦能训练的自监督学习,从海量的无标签数据中学习到自身的监督信号,再利用这种伪造的监督信号对模型进行训练,从而学习到泛化能力极强并且有价值的网络流量特征表示,而深度学习的精髓正在于其强大的表示学习的能力。在NSL-KDD,KDD CUP99,CIC IDS2017和CIDDS＿001的迁移学习实验中取得优异的结果便足以证明自监督学习模型强大的泛化能力以及所提取网络流量特征表示的通用性。(2)针对入侵检测模型大多数被部署在资源有限的设备中,例如功率有限、计算、通信和存储能力有限等等,提出一种针对入侵检测的轻量级三元组卷积神经网络的知识蒸馏入侵检测模型(KD-TCNN),从三个方面降低模型复杂度和减少模型计算量从而实现高精度、及时性的异常检测:特征选择方面;模型压缩方面;卷积神经网络方面。提出一种新的K折交叉训练方法,利用预训练的思想提高模型的性能表现。与传统深度学习方法和表现SOTA的模型相比,KD-TCNN模型在数据集NSL-KDD和CIC IDS2017上的所有性能指标上都具有显著的优势。(3)针对入侵检测模型通常部署在计算能力和资源有限的设施上,并且网络流量攻击样本难以收集,提出一种两阶段的基于自监督学习和自知识蒸馏的轻量级入侵检测模型(CL-SKD),降低模型对标签数据的过度依赖,优化模型的泛化能力,极大地提高入侵检测模型速度的同时降低模型的复杂度。第一阶段利用自监督对比学习学习到网络流量本质的特征表示,第二阶段使用自知识蒸馏将大模型学习到的网络流量的特征表示迁移到小模型中去。本文将在数据集KDD CUP99、NSL-KDD、UNSW-NB15、CIC IDS2017和CIDDS-001进行二分类和多分类实验,从而验证所提出模型强大的泛化能力和优秀的异常检测能力。更多还原

【Abstract】 In today’s cybersecurity field,the combination of deep learning and intrusion detection is gaining more and more attention.In the face of massive,high-dimensional network traffic with uneven sample distribution,how to be able to quickly and accurately detect anomalous traffic is the primary task of intrusion detection.Based on this,this paper combines deep learning with intrusion detection,using the powerful representing ability of deep learning to solve the above problems,this paper mainly focuses on reducing the dependence of the model on labelled data,optimizing the number of parameters in intrusion detection model,to build a fast and accurate intrusion detection model.The following is the paper’s primary contribution:(1)In view of the disadvantages that supervised learning methods require the use of a large amount of manually labeled data and the poor generalization ability of unsupervised learning models,we propose an intrusion detection model based on improved BYOL self-supervised learning named IBYOL-IDS.We adopt selfsupervised learning that model can be trained without labels,and self-supervised learning can fully exploit its own supervisory information from large-scale unlabeled data,and train the model with this fake supervisory information to learn highly generalizable and valuable representations of network traffic.The essence of deep learning lies in its powerful representation learning capability.The excellent results obtained in the transfer learning experiments of NSL-KDD,KDD CUP99,CIC IDS2017 and CIDDS＿001 are enough to prove the strong generalization ability of the self-supervised learning model and the generality of the extracted network traffic feature representations.(2)In view of the disadvantages that intrusion detection models are mostly deployed in the resource-constrained devices,for example,limited energy resource,low computational resource,bad communication environment as well as restricted storage capacity.We propose a lightweight yet efficient intrusion detection approach based on knowledge distillation and triplet convolution neural network named KD-TCNN,the complexity and computation of the proposed intrusion detection model can be reduced by three aspects to achieve more accurate,real-time as well as lightweight anomaly detection: feature selection,model compression,convolution neural network architecture.We also propose a new K-fold cross training method that uses the idea of pre-training and fine-tuning to enhance the performance of the proposed KD-TCNN.Compared to traditional deep learning approaches and several state-of-the-art models,the KD-TCNN model has significant advantages in all performance metrics on the dataset NSL-KDD and CIC IDS2017.(3)Since intrusion detection models are usually deployed on facilities with limited computing power and resources,and malicious traffic samples are difficult to collect,we propose a two-stage lightweight intrusion detection model named CL-SKD based on self-supervised learning and self-knowledge distillation to reduce the model’s overreliance on labels,optimize the model’s generalization ability,and greatly improve the speed of intrusion detection while reducing the complexity of the model.Firstly,we take advantage of self-supervised contrastive learning that can train model without labeled data to learn the feature representations of the essence of network traffic.Then we use self-knowledge distillation to transfer the feature representations learned by the large convolution neural network to the depthwise separable convolution network in the second phase.In this paper,we will conduct binary and multi classification experiments on the datasets KDD CUP99,NSL-KDD,UNSW-NB15,CIC IDS2017 and CIDDS-001 to fully compare the recent state-of-the-art models with our CL-SKD model,so as to prove the powerful generalization ability and excellent anomaly detection capability of the proposed model in our paper.更多还原