High-speed networks are becoming common nowadays. Naturally, a challenge that arises is that the intrusion detection system (IDS) should timely detect attacks in huge volumes of traffic data produced by high-speed networks. Existing IDSs, however, mainly focus on improving detection rate and reducing false alarm rate, which are complicated and time-consuming. In this paper, we propose an IDS named SwiftIDS, which is capable of both analyzing massive traffic data in high-speed networks timely and keeping satisfactory detection performance. SwiftIDS achieves these goals by two approaches. One approach is that light gradient boosting machine (LightGBM) is adopted as the intrusion detection algorithm to handle the massive traffic data. The motivation of this approach is to not only take advantage of LightGBM’s effective detection performance, but also use its support for categorical features to simplify the data preprocessing. The other approach is that a parallel intrusion detection mechanism is utilized to analyze traffic data arriving in different time windows. In this way, the delay caused by the later-arriving data waiting for the end of the intrusion detection cycle of the first-arriving data can be avoided. The time efficiency and satisfactory detection performance of SwiftIDS are verified through the offline experiments on three benchmark datasets. Furthermore, we perform a near real-time experiment to provide more convincing proofs for the timeliness of SwiftIDS.

如今，高速网络变得越来越普遍。自然，出现的挑战是入侵检测系统（IDS）应该及时检测高速网络产生的大量流量数据中的攻击。但是，现有的IDS主要集中在提高检测率和降低误报率上，这既复杂又费时。在本文中，我们提出了一种名为SwiftIDS的IDS，该IDS能够及时分析高速网络中的大量流量数据并保持令人满意的检测性能。SwiftIDS通过两种方法来实现这些目标。一种方法是采用光梯度增强机（LightGBM）作为入侵检测算法来处理大量交通数据。这种方法的动机不仅是要利用LightGBM的有效检测性能，而且还使用其对分类功能的支持来简化数据预处理。另一种方法是利用并行入侵检测机制来分析在不同时间窗口到达的交通数据。这样，可以避免由于后到达数据等待第一个到达数据的入侵检测周期结束而造成的延迟。通过对三个基准数据集进行离线实验，验证了SwiftIDS的时间效率和令人满意的检测性能。此外，我们进行了近乎实时的实验，为SwiftIDS的及时性提供了更有说服力的证据。这样，可以避免由于后到达数据等待第一个到达数据的入侵检测周期结束而造成的延迟。通过对三个基准数据集进行离线实验，验证了SwiftIDS的时间效率和令人满意的检测性能。此外，我们进行了近乎实时的实验，为SwiftIDS的及时性提供了更有说服力的证据。这样，可以避免由于后到达数据等待第一个到达数据的入侵检测周期结束而造成的延迟。通过对三个基准数据集进行离线实验，验证了SwiftIDS的时间效率和令人满意的检测性能。此外，我们进行了近乎实时的实验，为SwiftIDS的及时性提供了更有说服力的证据。