Elsevier

Computer Communications

Volume 178, 1 October 2021, Pages 131-140
Computer Communications

Network intrusion detection based on IE-DBN model

https://doi.org/10.1016/j.comcom.2021.07.016Get rights and content

Abstract

Existing network intrusion detection models suffer such problems as low detection accuracy and high false alarm rates in face of massive data traffic. Deep-learning models provide a solution as they can reduce the dimensionality of massive data, extract data features, and identify intrusions. However, the network structure and the number of hidden layer neurons of deep-learning models are determined by empirical or trial-and-error methods, which will affect the generalization ability and learning efficiency of the model. In the present work, a deep belief network model based on information entropy (IE-DBN model) is proposed for network intrusion detection. The model uses information gain (IG) to reduce the dimensionality of high-dimensional data features and remove redundant features. The information entropy is used to determine the number of hidden neurons in the DBN network and the network depth. The synthetic minority oversampling technique (SMOTE) algorithm is used to address the problem of data imbalance. Tests on the KDD CUP 99 intrusion detection data set have shown that the proposed IE-DBN model improved the convergence speed of the model and reduced the likelihood of overfitting. Compared with the conventional back propagation (BP) neural network and DBN network model, the IE-DBN model obtained a higher detection accuracy and a lower false alarm rate. Verification tests on other intrusion detection data sets showed that the proposed IE-DBN model had good generalization capacity.

Introduction

The Internet, featured by openness and inclusiveness, is vulnerable to external invasion. Intrusion detection, a technology for prompt detection and report of unauthorized accesses or anomalies, provides a solution to protection of the security of network systems. At present, there are four popular intrusion detection methods; (1) Feature-based detection: This method boasts high accuracy in prediction and detection, but it entails prior knowledge or experience of intrusions and attacks; (2) Statistical algorithm-based detection: mainly used for anomaly detection, this method has a high detection rate, but its “learning” ability can make the intruders follow the statistical rule of normal operation and pass the detection; (3) Expert systems: This method mainly aims at intrusion behaviors, and its effectiveness depends entirely on the completeness of the knowledge base of an expert system; (4) File integrity check: This method checks the similarities and differences between the digital digest and the values in the database through the Hash function.

An artificial intelligence anomaly detection method is proposed in [1]. This method obtains features and statistical data by monitoring the network traffic, analyzing and processing packets, and carries out anomaly detection combined with cluster analysis, with an accuracy of 98%. Yazdinejadna et al. [2] proposed a kangaroo-based intrusion detection system, which was based on the software-defined networking (SDN) architecture for data plane attack detection and malicious behaviors, and was proved to perform well in detecting malicious packets. Lou et al. [3] constructed a rule base for detecting network intrusion and developed a new method for mining association rules from multi-source logs of the cloud computing platform to detect various intrusion behaviors. This approach can speed up the computation adaptively and has a good effect on the computation efficiency and accuracy. Although non-machine learning attack detection schemes are sensitive to known attack types, they show limitations in dealing with unknown attacks and big data [4].

In recent years, with the continuous development of artificial intelligence and machine learning technologies, researchers have proposed the use of machine learning methods for intrusion detection, such as neural networks, decision trees, artificial immune systems, support vector machine [5] methods, to improve detection accuracy. Kasongo and Sun [6] used machine learning to build an intrusion detection system:

For high-dimensional data spaces and highly unbalanced data sets, a filter-based feature reduction technique was applied using the XGBoost algorithm; then, the machine learning algorithm was adopted to detect the simplified feature space. The detection accuracy was improved by 2.72%. In [7], the CNN algorithm was adopted for feature extraction. Naive Bayes and self-organizing mapping are applied to intrusion detection, and the detection rate of user-to-root (U2R) type reached 93.0%. However, in the face of massive data intrusion detection, the conventional shallow machine learning methods show such shortcomings as limited expression and generalization capacity as well as susceptibility to overfitting. These defects will greatly reduce the processing speed of the system and affect the detection effect of the model.

Deep learning methods can reduce the feature dimension of massive data and classify a large amount of unlabeled data. However, the general deep neural networks are vulnerable to the influence of weights, thresholds, and learning rates, and are likely to fall into local optimum. Wang et al. [8] combine the gated convolutional neural network (GCNN) model with a data augmentation method for intrusion detection, which enhances the robustness of the model. After verification, the GCNN model can better obtain the potential information of enhanced data and achieve the best performance. The GAN algorithm is applied to intrusion detection and has achieved very good detection results [9], [10], [11]. Some scholars [12], [13], [14], [15], [16] applied deep learning neural network algorithms to intrusion detection. The influence of hidden layer nodes, the number of neural network layers, and the learning rate on the performance of the algorithm are discussed to improve the accuracy of intrusion detection. Some scholars also proposed an intrusion detection algorithm based on the hybrid model of deep learning [17], [18], [19], [20], [21], but the hybrid model is relatively complex.

Analyses of the above intrusion detection algorithms reveal many shortcomings of conventional intrusion detection methods: shallow machine learning algorithms cannot solve complex problems, general deep learning algorithms are susceptible to the influence of parameters such as weights, and the hybrid model is relatively complex. To address these problems, this paper proposes an IE-DBN model for intrusion detection, in which the information entropy is employed to optimize the DBN network structure to determine the number of hidden neurons and the network depth.

The main contributions of this paper are as follows:

(1) Information gain (IG) is used to reduce the dimension of the feature data to preserve the feature attributes that contributed more to the results.

(2) The RError value is used to adjust the number of hidden layers to determine the network depth, that is, the model structure.

(3) Information entropy (IE) is used to optimize the number of nodes in the hidden layer to get the best number of nodes in the hidden layer.

This paper is organized in five sections: Section 1 is the introduction, which states the research value, status quo, and existing problems of intrusion detection methods. Section 2 presents related works, which introduces the application of the DBN model and information entropy in intrusion detection, and proposes the research method of this article. The third section is the establishment of the IE-DBN model. The following section is the experimental results and analysis. Conclusion and further work are presented in Section 5.

Section snippets

Related work

At present, in the field of network security, the DBN algorithm and information entropy have become popular methods for intrusion detection. However, no scholar has combined the two for intrusion detection. In this paper, the number and depth of hidden layer neurons in DBN network are determined by information entropy and a model that combines the IE-DBN model is applied to intrusion detection.

Information entropy optimization deep belief network model

In the present work, the DBN network structure is optimized by information entropy, which could preclude underfitting or overfitting, and effectively improve the learning efficiency and accuracy of the network. In this way, the model can better represent the input information.

Experiments

The model of information entropy-optimized DBN network proposed in this paper. As validated on the UCI machine learning data set [36], the model could improve the detection accuracy and reduce the false alarm rate. However, the imbalance of the UCI data set remains a problem: the sample size of a certain type is small and will result in a low detection accuracy of this type. Because of the imbalance of the data set, the SMOTE oversampling algorithm was used to treat the data set to improve the

Conclusion and further work

Due to the random initialization of weight parameters in the back-propagation process of the BP neural network model, the network is prone to local optimum and overfitting may occur. Under the condition of the same parameters, the training results may differ greatly. The DBN model has better robustness, adaptability, and stability when it carries out layer-by-layer unsupervised training on RBM. Increasing the number of layers in DBN can improve the calculation accuracy, but after increasing the

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (48)

  • GarciaN. et al.

    A distributed real-time SlowDos attacks detection over encrypted traffic using artificial intelligence

    J. Netw. Comput. Appl.

    (2021)
  • HuangS. et al.

    IGAN-IDS: An imbalanced generative adversarial network towards intrusion detection system in Ad-hoc networks

    Ad Hoc Netw.

    (2020)
  • YazdinejadnaAbbas et al.

    A kangaroo-based intrusion detection system on software-defined networks

    Comput. Netw.

    (2021)
  • LouP. et al.

    Cyber intrusion detection through association rule mining on multi-source logs

    Appl. Intell.

    (2020)
  • XuM.F. et al.

    Intrusion detection scheme based on semi-supervised learning and information gain rate

    Comput. Res. Dev.

    (2017)
  • J.V. Anand Sukumar, I. Pranav, M. Neetish, J. Narayanan, Network Intrusion Detection Using Improved Genetic k-means...
  • KasongoSydney M. et al.

    Performance analysis of intrusion detection systems using a feature selection method on the UNSW-NB15 dataset

    J. Big Data

    (2020)
  • Parasuraman KumarA. et al.

    Analysis of intrusion detection in cyber-attacks using DEEP learning neural networks

    Peer-To-Peer Netw. Appl.

    (2020)
  • WangYixiang et al.

    On the combination of data augmentation method and gated convolution model for building effective and robust intrusion detection

    Cybersecurity

    (2020)
  • FerdowsiA. et al.
    (2019)
  • YangYanrong et al.

    Network intrusion detection method based on GAN-PSO-ELM

    Comput. Eng. Appl.

    (2020)
  • ZhangL. et al.

    Application of machine learning in cyberspace security research

    J. Comput.

    (2018)
  • YiC.L. et al.

    A deep learning approach for intrusion detection using recurrent neural networks

    IEEE Access

    (2017)
  • SherazN. et al.

    Enhanced network anomaly detection based on deep neural networks

    IEEE Access

    (2018)
  • SheikhanM. et al.

    Intrusion detection using reduced-size RNN based on feature grouping

    Neural Comput. Appl.

    (2012)
  • GaoN. et al.

    Intrusion detection model based on deep belief network

    J. Southeast Univ.

    (2015)
  • WangY. et al.

    Intrusion detection algorithm based on DBN-Kelm

    Comput. Eng.

    (2019)
  • AbdelkaderE.M.

    On the hybridization of pre-trained deep learning and differential evolution algorithms for semantic crack detection and recognition in ensemble of infrastructures

    Smart and Sustain. Built Environ.

    (2021)
  • YangH.H. et al.

    Design of hybrid intrusion detection model using information gain rate

    Inf. Control

    (2019)
  • de AraújoIgor Meireles et al.

    A GPU-assisted NFV framework for intrusion detection system

    Comput. Commun.

    (2021)
  • Swarna PriyaR.M. et al.

    An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT architecture

    Comput. Commun.

    (2020)
  • TianQ. et al.

    An intrusion detection approach based on improved deep belief network

    Appl. Intell.

    (2020)
  • TanX.P. et al.

    Intrusion detection of UAVs based on the deep belief network optimized by PSO

    Sensors

    (2019)
  • SüzenAhmet Ali

    Developing a multi-level intrusion detection system using hybrid-DBN

    J. Ambient Intell. Humaniz. Comput.

    (2020)
  • Cited by (27)

    • Real-time network intrusion detection using deferred decision and hybrid classifier

      2022, Future Generation Computer Systems
      Citation Excerpt :

      This process improves the scalability of the session size, allowing a robust and smooth operation on large networks compared to the packet-based approach. In general, session-based NIDS processes session-by-session to extract the session features for ML, reflecting the characteristics of that session [14,20–25]. Such intra-session-based features may not reflect the characteristics of a distributed intrusion by multiple sessions, such as a DDoS attack [26,27].

    View all citing articles on Scopus

    This work is supported by the National Natural Science Foundation of China (61673319); Doctoral Research Start-up Fund of Wei nan Normal University: Research on Digital Activation Technology of Cultural Relics (20RC15); Key Research and Development Projects of Science and Technology in Weinan (zdyf-jcyj-19_zsg,2019-ZDYF-SFGG-59); Project of Weinan Normal University (21WX13,20HX109); Weinan Normal University electronic information (computer technology) master degree program (18TSXK06).

    View full text