Intrusion detection algorithm based on image enhanced convolutional neural network

Abstract

Intrusion Detection System (IDS) can reduce the losses caused by intrusion behaviors and protect users’ information security. The effectiveness of IDS depends on the performance of the algorithm used in identifying intrusions. And traditional machine learning algorithms are limited to deal with the intrusion data with the characteristics of high-dimensionality, nonlinearity and imbalance. Therefore, this paper proposes an Intrusion Detection algorithm based on Image Enhanced Convolutional Neural Network (ID-IE-CNN). Firstly, based on the image processing technology of deep learning, oversampling method is used to increase the amount of original data to achieve data balance. Secondly, the one-dimensional data is converted into two-dimensional image data, the convolutional layer and the pooling layer are used to extract the main features of the image to reduce the data dimensionality. Thirdly, the Tanh function is introduced as an activation function to fit nonlinear data, a fully connected layer is used to integrate local information, and the generalization ability of the prediction model is improved by the Dropout method. Finally, the Softmax classifier is used to predict the behavior of intrusion detection. This paper uses the KDDCup99 data set and compares with other competitive algorithms. Both in the performance of binary classification and multi-classification, ID-IE-CNN is better than the compared algorithms, which verifies its superiority.

Keywords

Intrusion detection convolutional neural network image enhancement

1 Introduction

With the development of network technology, the rapid growth of the network scale brings not only convenience to people but also risks and challenges. Hackers invade the user system by looking for security loopholes in the network, so as to steal private data, encroach on server resources, and obtain illegal rights and interests, which has brought great trouble to people. Long et al. [1] described the most common website vulnerabilities and proposed an effective network vulnerability detection algorithm. However, vulnerability detection is a passive defense strategy, in order to better deal with network attacks, we need to cooperate with active intrusion detection technology. Network intrusion detection is the most critical and widely used system security strategy. By learning of a large number of intrusion characteristics and real-time detection, IDS can accurately monitor abnormal traffic, analyze various network protocols and user behaviors, and accurately detect intrusion attacks, thereby avoiding losses [2]. In recent years, with the demand for the Internet, the amount of data transmitted on the network has increased exponentially. The contradiction between massive data processing and insufficient detection technology is the main problem facing current network security [3]. Therefore, strengthening the research on intrusion detection technology is of great significance to preventing problems caused by information security.

At present, machine learning is the most popular in intrusion detection. Tong et al. [4] analyzed the machine learning algorithm for botnet DDoS attack detection, and concluded that USML(unsupervised learning) can effectively distinguish botnet and normal network traffic, which is of great significance to computer security and other related fields. Krishnan et al. [5] proposed an improved region based intrusion detection system, which realized the identification of malicious nodes in the presence of false error reports, improved the delivery rate of packets and reduced the false alarm rate. Lu et al. [6] proposed an intrusion detection algorithm combining with principal component analysis and k-means clustering, which was applied to obtain a higher accuracy and a lower false alarm rate. Lin et al. [7] proposed the cluster center and nearest neighbor based algorithm to extract the representative features for effective detection of normal connections and attack behaviors, and the classification accuracy is improved. Jiang et al. [8] proposed a two-level hybrid algorithm, a filtering feature selection method is used to reduce the feature dimensionality, and a hypergraph is introduced to rescreen the obtained feature subsets, and the random forest and improved k-means algorithms are used for classification. Chen et al. [9] proposed a model RF-XGB based on random forest and extreme gradient boosting tree, the accuracy is guaranteed and the training time of the model is effectively reduced. Elhefnawy et al. [10] proposed a hybrid nested genetic fuzzy algorithm HNGFA, feature selection methods are also considered. These two algorithms greatly improves the classification accuracy of small classes. Yao et al. [11] proposed a HMLD framework based on hybrid multi-level data mining to solve the problem of data imbalance for multi-classification. The KDDCUP99 data set was used to verify the performance of HMLD, and the accuracy reached 96.70%, which greatly improved the prediction accuracy compared with the algorithms proposed in the same period. Meryem et al. [12] proposed a hybrid method combining marking and classification, which improves the accuracy of intrusion detection technology, reduces the false alarm rate, and has a good detection rate for unknown attacks.

Deep Learning is an excellent technique that deals with variants of data, because it can not only learn the given feature but also automatically extract features from data to achieve the goal of classification task [13]. With the increasing complexity of the network environment, machine learning has also shown its limitations. The application of deep learning in cyberspace security has gradually attracted the attention of scholars at home and abroad [14]. Deep learning is a new field in machine learning research. It combines low-level features to discover distributed feature representations of data, resulting in a more abstract high-level presentation of attribute category or feature [15]. It is a neural network that establishes and simulates the human brain for analysis and learning.

Some researchers have applied deep learning in the field of intrusion detection and achieved good results, proving the feasibility of deep learning in the field of network security. Zhou et al. [16] proposed a network intrusion detection method based on AutoEncoder and ResNet, the experimental results have good performance in accuracy, true positive rate and false negative rate. In order to improve the detection ability of unknown attacks, Sohi et al. [17] proposed an algorithm that used Recurrent Neural Network (RNN) to discover complex attack patterns and generate similar data, the algorithm has strong generalization ability. Srikanthyadav et al. [18] proposed a deep learning algorithm for network intrusion detection using deep AutoEncoder, optimized the training model using Adam optimization method, and achieved high accuracy on NSL-KDD data set and CICIDS 2017 data set in the Tensor Flow framework. Feng et al. [19] proposed an intrusion detection model based on a feedforward neural network to reduce the complexity of the intrusion detection model, the training time is reduced and the classification efficiency is ensured. Chakravarthi et al. [20] proposed an efficient intrusion detection algorithm AE with deep automatic coding. The application of the AE algorithm can help SVM and dense NN models reduce the false negative rate in anomaly detection and attack classification.

With the advancement of deep learning theory and the improvement of numerical computing equipment, Convolutional Neural Networks (CNN), a deep learning model, has been widely used in many fields such as computer vision and natural language processing. Compared with traditional machine learning algorithms, it has a higher accuracy rate and lower false alarm rate in most cases [21]. In the era of big data, intrusion detection data is more complex and diverse, gradually showing the characteristics of class imbalance, high-dimensionality, and nonlinearity [20]. The huge amount of calculation makes traditional machine learning algorithms stretched [14]. The characteristics of parameter sharing and local connection in CNN model make it still maintain strong learning ability and recognition ability when facing high-dimensional nonlinear data [22].

In order to solve the problems in the field of intrusion detection and improve the performance of intrusion detection, this paper proposes an intrusion detection algorithm based on image enhancement convolutional neural network. The contribution of the paper can be summarized as below.

In order to solve the problem of data imbalance and make a higher accuracy rate in application, this paper proposes the method of generating new samples to increase the number of small types of data. In this way, a balanced data set is established for the training of the intrusion detection data model.

In order to efficiently utilize the advantages of CNN in image processing, a method of converting one-dimensional data samples into two-dimensional images is proposed. Using this method, the original one-dimensional feature of the intrusion detection data set is converted into a two-dimensional gray image.

In order to solve the problems of high dimensionality and complexity of the existing data sets, it is proposed to use the CNN model to extract the data features of the converted image samples. After training, a model with good classification performance is obtained.

The rest of this paper is organized as follows. Section 2 describes some of the related technologies. Section 3 details the proposed algorithm ID-IE-CNN. In Section 4, the performance of algorithm ID-IE-CNN is verified by experiments with KDDCup99 data set. Finally, the conclusions are summarized in Section 5.

2 Related technologies

2.1 Data preprocessing

In order to adapt to the ID-IE-CNN algorithm proposed in this paper, the data set is specially preprocessed, and the process is shown in Fig. 1.

Fig. 1

Data processing.

2.1.1 Conversion of the character data

In the collected data, there are often numerical data and character data. Inconsistent data types will increase the difficulty of data processing and classification, and even the model cannot be trained and the classification cannot be tested. Therefore, the data type will be unified in the data preprocessing. Since the CNN model can only process numerical data, the character data is converted into numerical data. The conversion process is shown in Fig. 1.

2.1.2 Image enhancement

Due to the problem of class imbalance in the intrusion detection data set, the scale of samples in some classes is very small. Therefore, the amount of sample information is enhanced by oversampling method, and then the one-dimensional data of intrusion detection is converted into two-dimensional image data.

The class imbalance is one of the key factors that restrict the classification accuracy. If the sample scale of a class is too small, the information that can be learned will be quite limited. So, oversampling method is used to enhance the amount of sample information. The oversampling steps are as follows.

Find the sample x_i from a small class, use Euclidean distance to calculate its k nearest neighbors, denoted as x_ij, j ∈ (1, . . . , k);

Randomly select one of the neighboring samples x_ij, and use the random number ς, ς ∈ (0, 1) to synthesize a new sample x_new. $x_{new} = x_{i} + ς * (x_{ij} - x_{i})$ (1)

Repeat step (b) to obtain a sufficient number of samples of the small class to balance the data set.

CNN algorithm has high accuracy in image classification. In order to adapt to the ID-IE-CNN algorithm, it is necessary to transform the processed data set from one-dimensional data to two-dimensional image data. In order to ensure the integrity of the data features, this paper proposes a method based on data filling to expand the features of the data samples and convert the expanded data to two-dimensional image data. As shown in Fig. 2.

Fig. 2

Data conversion.

Fig. 3

Traditional neural network structure.

On the basis of retaining all the information of the original data set, this method expands the dimensions of the sample features by using a random normal distribution, and retains the effective information of the original data set to the greatest extent. Data conversion algorithm is as follows.

Select a sample x from the data set X;

Use the random normal distribution function to expand x from n columns to n + m columns;

Reconstruct the structure of x into a p*q matrix, where p*q = n + m;

Repeat steps a, b, and c until all samples in X are traversed.

2.2 CNN model

CNN model is an improvement of traditional neural network and has outstanding contributions in the field of image recognition. Traditional neural networks have only input layer, hidden layer and output layer, with various weights and complex calculations, and the input features are manually selected. The traditional neural network is shown below.

Although the CNN model is still a hierarchical network, the function and form of the layers have been improved to solve the problems of the large amount of calculation and the loss of structural information of the artificial neural network. In the face of massive and complex data sets, CNN has unique advantages. CNN model consists of data input layer, convolutional calculation layer, excitation layer, pooling layer, fully connected layer and output layer [23], as shown in Fig. 4. It does not need to select features manually, and can reduce the number of free parameters in the network through local receptive field, convolution kernel weight sharing and down-sampling technology of time or space, so as to reduce the complexity of feature extraction and quantitative reconstruction, and effectively deal with high-dimensional and non-linear input data.

Fig. 4

Structure of CNN model.

Based on the principle of retaining the most original information and expanding as few irrelevant features as possible, when the number of features in the original data set is odd n, the data set is expanded to even n + 1 dimensions, and the data conversion method is used to convert the data set into p*q-dimensional image features for the input of the CNN model, where p*q = n + 1.

(2) Convolutional layer

The recognition process of CNN is like the human perception of external images through a local receptive field. For an image, each part of the neuron perceives the image locally, and converges the local perception to a higher level to obtain the global visual field information. Therefore, CNN can effectively handle high-dimensional nonlinear data input. The convolutional layer is the core part of the CNN model. The main feature is the sharing of local links and convolution kernel weights, which can greatly reduce the complexity of the network model. The main function of the convolutional layer is to use multiple convolution kernels to extract features through convolution operations to abstract higher-level features. The convolution operation refers to the inner product of the partial image and the convolution kernel matrix, as shown in Formula (2) [24]. $s_{(i, j)} = (X * W)_{(i, j)} = \sum_{m} \sum_{n} x_{(i + m, j + n)} w_{(m, n)}$ (2) where, W is the convolution kernel matrix, and X is the input data set.

(3) Activation function

The activation function is very important for the model of artificial neural network to learn and understand complex and nonlinear functions. For neural networks, without the activation function, it can only solve linear separable problems, and can do nothing for complex non-linear problems. The activation function can strengthen the ability of nonlinear expression of the network model and fit complex features well. Commonly used activation functions include Sigmoid, Tanh, ReLU, etc [23]. The activation functions are shown in Fig. 5.

Fig. 5

Activation functions.

The Tanh function shows the best performance in ID-IE-CNN algorithm. The Tanh function means hyperbolic tangent function. Tanh is shown in formula (3) [25].

$Tanh (x) = \frac{1 - e^{- 2 x}}{1 + e^{- 2 x}}$ (3)

The effect comparison of Sigmoid, Tanh, and ReLU is shown in Fig. 6. In most CNN models, ReLU is generally selected as the activation function [21]. However, ReLU treats eigenvalues less than zero as zero, which will increase the sparsity of the network and lose some information of the original data set. In fact, the more available information, the better learning effect. And the Tanh function can help the CNN model fit more sample information and improve the classification accuracy. Therefore, the Tanh function is used as the activation function in ID-IE-CNN algorithm. The comparative experiment also shows that Tanh makes the classification accuracy better.

Fig. 6

The loss rate of activation functions with different epoches.

In Fig. 6, the abscissa epoch represents the number of model iterations, and the ordinate represents the loss rate of the model in the validation set. It is obvious from Fig. 6 that, it converges faster with a smallest loss rate by using the Tanh function.

(4) Pooling layer

Convolution abstracts higher-level features, but does not reduce data dimensions. If the classification operation is performed after the convolution operation, it is easy to cause overfitting and reduce the classification performance. Therefore, a pooling layer is needed. The pooling layer retains the main features of the data sample while reducing the dimension, compress the feature maps and parameters, reduce the calculation of the network model, avoid the model overfitting, and enhance the model fault tolerance. The commonly used pooling operations in CNN are Max Pooling and Average Pooling. Suppose the size of the pooling window is kernel*kernel, the expression of the pooling layer is shown in Formula (4) [26]. $y_{i} = f (x_{strides \times i + j}), j \in [1, kernel]$ (4) where, f is the pooling function and strides is the moving step length.

Maximum pooling is to select the largest element from the modified feature map in the defined pooling window and used for the output of the pooling layer, as shown in Fig. 7.

Fig. 7

Maximum pooling.

Average pooling is to calculate the average value from the modified feature map in the defined pooling window and used for the output of the pooling layer, as shown in Fig. 8.

Fig. 8

Average pooling.

As shown in Figs. 7 and 8, after the convolutional data passes through the pooling layer, the original four-dimensional feature map is compressed as two-dimensional feature to reach the purpose of dimension reduction.

(5) Fully connected layer

The fully connected layer in the CNN model is similar to the hidden layer in the traditional neural network. After the pooling operation, each neuron in the feature map is connected to all neurons in the fully connected layer, and the local information with the distinguishing nature of the classes in the previous pooling layer is integrated, which can reduce the impact of location on classification and improve the robustness of the model. The process of fully connected layer can be expressed by Formula (5) [27]. $z_{j} = w_{j}^{T} \cdot x$ (5) where, z_j represents the score of the j-th class in the fully connected layer, w_j represents the weight matrix, and x is the input of the fully connected layer.

The Dropout method is introduced after the fully connected layer, which discards some neurons according to a certain probability, reduces the model overfitting, and improves the generalization ability of the model.

(6) Classification prediction

The Softmax classifier is generally used in CNN classification. After the fully connected layer, the scores z_j, z_j ∈ (- ∞ , + ∞) of the classes can be obtained. The idea of the Softmax classifier is mapping z_j to the (0, + ∞) interval, and then normalizing z_j it to the (0,1) interval to obtain the probability of each class. Compared to score, probability is more intuitive in classification, so this paper chooses Softmax as the classifier. Softmax classifier is as Formula (6) [28]. ${\hat{y}}_{j} = softmax (z_{j}) = \frac{e^{z_{j}}}{\sum_{c = 1}^{C} e^{z_{c}}}$ (6) where, C represents the number of classes of the input data set, and ${\hat{y}}_{j}$ represents the predicted class.

3 The ID-IE-CNN algorithm

The overall framework of the ID-IE-CNN algorithm is shown in Fig. 9. First, the data set is preprocessed, that is, conversation of feature value from character type to numeric type, sample enhancement by oversampling, and two-dimensional image data converted from one-dimensional data. Then input the training samples into the CNN model, and introduce the Dropout layer to optimize the model. After training, the validation set is used to verify the accuracy and loss rate. Finally, use the trained model to classify the test set, and output the classification accuracy, false negative rate and precision.

Fig. 9

Overall framework of ID-IE-CNN algorithm.

As shown in Fig. 9, the CNN model uses Tanh function as the activation function, and the whole process includes two convolutions, two pooling, and two fully connected layers. The steps are as follows, Convolutional layer ⟶ Pooling layer for feature extraction ⟶ Convolutional layer ⟶ Pooling layer ⟶ Fully connected layer ⟶ Fully connected layer ⟶ Dropout layer. The execution process of ID-IE-CNN is shown in Algorithm 1.

Algorithm 1. The proposed ID-IE-CNN algorithm

Input: Intrusion detection dataset D, extended length m
Output: classification results on evaluation metrics
1: begin
2: for each S = (X,Y) ∈ D do
// X is the features and Y is the intrusion category
3: extend X.length from n to n + m;
4: fill the extended part X[n,n + m-1] with random normal distribution number;
5: transform 1-dimentional data X to 2-dimentional data;
// the n + m data in X is transform to a p*q matrix
6: end for
7: divide the extended dataset D to training set S₁ and test set S₂;
8: balance S₁ according to the sample number of each intrusion category;
9: input the training set S₁ to train the CNN model;
10: input the test set S₂ to get the classification results on evaluation metrics;
11: end

4 Experiments

Experiments are performed on a PC with Intel(R) Core(TM) i7 processor, 3.2 GHz and 16 G memory, running on Windows 10 operating system. Programming uses Pycharm and the TensorFlow deep learning framework. The KDDCup99 data set is used to evaluate the proposed algorithms on binary classification and multi-classification.

4.1 Experimental data preprocessing

This paper uses the KDDCup99 data set [29] to verify the effectiveness of ID-IE-CNN algorithm. The data set contains 41 features and a label, 3 features and the label are in character type. The data set contains a normal class “Normal” and 38 small attack classes, and the 38 small attack classes belong to 4 big attack classes, namely “Probe”, “U2R”, “R2L”, and “Dos”. “Probe” means surveillance and probing; “Dos” means denial-of-service; “R2L” means unauthorized access from a remote machine to a local machine; “U2R” means unauthorized access to local superuser privileges by a local unpivileged user. In the binary classification, the labels are encoded as 0 and 1, respectively representing attack label and normal label [24]; in multi-classification, the normal class and the 4 big attack classes are encoded as 0, 1, 2, 3, and 4. The corresponding relationships are 0∼Dos, 1∼Normal, 2∼Probe, 3∼R2 L, and 4∼U2 R.

4.1.1 Character data numeralization

Because of the convolution operation, CNN model can only deal with numerical data. In order to ensure the validity of the input data, the feature “Protocols”, “Protocol_type” and “Flag” are converted into numerical data. The normal and the 4 big attack classes are labeled as 5 classes namely “Normal”, “Probe”, “U2R”, “R2L”, and “Dos”.

4.1.2 Image enhancement

The class imbalance problem in KDDCUP99 data set is serious, and the sample number of classes U2 R and R2 L accounts for less than 1%, which is easy to over-fit the training set in the learning process. Therefore, sample enhancement should be done before training process by using the oversampling method.

The original data set has 41 features. In order to ensure the integrity of the data characteristics, the data filling method proposed in this paper is used to extend the data features to 42 dimensions, and then, the sample set is converted into 6*7 dimensional image features for the input of the CNN model.

4.2 Parameter set of CNN model

The original data set undergoes the preprocessing phase, and the two-dimensional image data is used as the input of the CNN model. In order to adapt to the dimensions of the input matrix, the padding in the convolutional layer is set to “SAME”. The encoded vectors of labels are converted into a binary matrix. In order to learn more detailed features, and loss less important information, this paper selects a small convolution kernel and pooling matrix at the beginning. For the number of nodes and dropout value in the full connection layer, 1024 and 512 were initially selected as the number of nodes and 0.1 as the dropout value, but the performance is not good enough as expected. According to the references [30, 31], this paper reduces the number of nodes and combines multiple experiments to adjust the parameters. Finally, we get the optimal parameters as shown in Table 1.

Table 1
Parameter set of CNN model

Layer in CNN model Parameter list

Input layer Input_idm(6,7)

Convolutional layer1 Number of convolution kernels = 6,kernel_size = (3, 3),stride = (1,1),activation = tanh

Pooling layer1 pool_size = (2, 2),stride = (2,2)

Convolutional layer 2 Number of convolution kernels = 16,kernel_size = (5, 5),stride = (1,1),activation = tanh

Pooling layer2 pool_size = (2, 2),stride = (2,2)

Fully connected layer1 Number of nodes = 120,activation = tanh

Fully connected layer2 Number of nodes = 80,activation = tanh

Dropout dropout = 0.5

Classification layer Number of nodes = 2 or 5,activation = softmax

Layer in CNN model	Parameter list
Input layer	Input_idm(6,7)
Convolutional layer1	Number of convolution kernels = 6,kernel_size = (3, 3),stride = (1,1),activation = tanh
Pooling layer1	pool_size = (2, 2),stride = (2,2)
Convolutional layer 2	Number of convolution kernels = 16,kernel_size = (5, 5),stride = (1,1),activation = tanh
Pooling layer2	pool_size = (2, 2),stride = (2,2)
Fully connected layer1	Number of nodes = 120,activation = tanh
Fully connected layer2	Number of nodes = 80,activation = tanh
Dropout	dropout = 0.5
Classification layer	Number of nodes = 2 or 5,activation = softmax

Binary classification and multi-classification experiments are performed on the KDDCup99 data set. In the last fully connected layer, the number of output neurons for binary classification is 2, for multi- classification is 5, and the other parameters are the same.

4.3 Evaluation metrics

In general classification problems, the commonly used evaluation metrics include accuracy, precision, underreporting, Recall, F1-score, AUC, etc. In the research of intrusion detection, the most important thing is to understand whether the model predicts the unknown data accurately and whether there is underreporting. Therefore, intrusion detection researchers usually use accuracy and false negative rate as metrics to evaluate model performance.

To fully evaluate the performance of the proposed model, this paper chose accuracy (ACC), false negative rate (FNR), precision rate (PR), Recall and F1-score as metrics to verify the effectiveness of ID-IE- CNN algorithm. Based on the confusion matrix shown in Table 2.

Table 2
Confusion Matrix

Actual Predicted

Positive Negative

Positive TP FN

Negative FP TN

Actual	Predicted
	Positive	Negative
Positive	TP	FN
Negative	FP	TN

The ACC, PR, FNR, Recall and F1-score are calculated as follows. $ACC = \frac{TP + TN}{TP + FP + TN + FN}$ (7) $PR = \frac{TP}{TP + FP}$ (8) $FNR = \frac{FN}{TP + FN}$ (9) $Recall = \frac{TP}{TP + FN}$ (10) $F 1 - score = \frac{2 \times PR \times recall}{PR + recall}$ (11) where, True Positive (TP) is the number of actual attack samples classified as attack samples, True Negative (TN) is the number of actual normal samples classified as normal ones, False Positive (FP) is the number of actual normal samples classified as abnormal ones, and False Negative (FN) is the number of actual abnormal samples classified as normal ones. According to the formulas of the metrics. The higher the value of ACC, PR, Recall and F1-score, the better the performance of the model. The smaller the value of FNR, the better the performance of the model.

4.4 Evaluation of the experiment results

4.4.1 The accuracy and loss rate for training

The accuracy and loss rate in the training process, for the training set are shown in in Fig. 10, for the validation set are shown in Fig. 11.

Fig. 10

The accuracy in the training process.

Fig. 11

The loss rate in the training process.

Figure 10 shows the relationship between the accuracy and the epoch. The abscissa “epoch” is the number of training iterations, and the ordinate is the accuracy of the validation set. It can be seen from the figure that the accuracy is higher and the convergence speed gets faster as the epoch increases, and it begins to converge when the epoch is about 30, which means 30 iterations.

Figure 11 shows the relationship between the loss rate and epoch. It can be seen from Fig. 12 that in the process of training, the loss rate gradually decreases as the epoch increases, and it also begins to converge when the epoch is about 30. Contrary to the accuracy, this phenomenon proves the rationality and feasibility of the ID-IE-CNN algorithm.

4.4.2 Binary classification experiment

In order to verify the applicability of the ID-IE-CNN algorithm in the binary classification experiment, the CNN algorithm [32], the RNN algorithm [33], the GR-CNN algorithm [32], the PCA-RNN algorithm [34] and the IGWO-BP algorithm [35] are compared with. The results are shown in Table 3.

Table 3
Comparison results of the binary classification (%)

Algorithm ACC FNR PR Recall F1-score

CNN 99.5 0.63 98.5 99.37 98.93

RNN 83.28 27 96.9 73 83.27

GR-CNN 99.1 1.03 98.3 98.97 98.63

PCA-RNN 87.7 13.72 96.49 86.28 91.10

IGWO-BP 95.32 4.6 97.12 95.32 96.21

ID-IE-CNN 99.73 0.29 99.7 99.71 99.70

Algorithm	ACC	FNR	PR	Recall	F1-score
CNN	99.5	0.63	98.5	99.37	98.93
RNN	83.28	27	96.9	73	83.27
GR-CNN	99.1	1.03	98.3	98.97	98.63
PCA-RNN	87.7	13.72	96.49	86.28	91.10
IGWO-BP	95.32	4.6	97.12	95.32	96.21
ID-IE-CNN	99.73	0.29	99.7	99.71	99.70

It can be seen from Table 3 that, among the deep learning algorithms, the accuracies of the RNN algorithm and the PCA-RNN algorithm are 83.28% and 87.7%, respectively, which are lower than the accuracies of CNN algorithm, GR-CNN algorithm and ID-IE-CNN algorithm. It shows that the CNN model has a best applicability for the analysis of intrusion detection. In ID-IE-CNN algorithm proposed in this paper, the classification accuracy is 99.73%, the false negative rate is 0.29%, and the precision is 99.7%, which are better than the CNN algorithm, the GR-CNN algorithm and IGWO-BP algorithm. Thus, it proves the superiority of the ID-IE-CNN algorithm in intrusion detection classification.

4.4.3 Multi-classification experiment

In order to verify the applicability of the ID-IE-CNN algorithm in the multi-classification experiment, the CNN algorithm [36], the DBN-XGBDT algorithm [37], the LFKPCA-DWELM algorithm [38], the DAE + DNN [39] algorithm and the CNN-Focal [40] algorithm are compared with. The results are shown in Table 4.

Table 4
Comparison results of the multi-classification experiment (%)

Algorithm ACC FNR PR Recall F1-score

CNN 94.37 2.14 93.53 97.86 95.65

DBN-XGBDT 99.21 0.56 98.67 99.44 99.05

LFKPCA- DWELM 97.5 2.92 97.01 97.08 97.05

DAE + DNN 83.33 16.67 86.02 83.33 84.65

CNN-Focal 79.25 20.25 82.56 79.75 81.13

ID-IE-CNN 99.3 0. 2 99. 19 99.8 99.49

Algorithm	ACC	FNR	PR	Recall	F1-score
CNN	94.37	2.14	93.53	97.86	95.65
DBN-XGBDT	99.21	0.56	98.67	99.44	99.05
LFKPCA- DWELM	97.5	2.92	97.01	97.08	97.05
DAE + DNN	83.33	16.67	86.02	83.33	84.65
CNN-Focal	79.25	20.25	82.56	79.75	81.13
ID-IE-CNN	99.3	0. 2	99. 19	99.8	99.49

It can be seen from Table 4 that the accuracy and precision of the ID-IE-CNN algorithm are greatly improved compared to the other five deep learning algorithms, reaching 99.3% and 99.19% respectively. The false negative rate dropped significantly to 0.2%, and the F1-score was the best, which indicates that the ID-IE-CNN algorithm has the best performance. In order to further prove that the accuracy of the ID-IE-CNN algorithm is not affected by the class imbalance, Table 5 details the accuracy of each class.

Table 5

Comparison of classification accuracy (%)

Algorithm	Normal	Probe	Dos	U2R	R2L
CNN	99.26	86.92	96.10	31.58	36.67
DBN-XGBDT	99.52	98.45	99.61	75.37	91.15
LFKPCA- DWELM	99.42	98.02	99.12	87.64	96.31
DAE + DNN	85.09	96.60	93.36	99.17	92.45
CNN-Focal	70.43	81.44	95.93	70.69	91.19
ID-IE-CNN	99.58	99.69	99. 82	98.2	97.1

Table 5 lists the accuracy of each class and shows the comparison with other algorithms. Among the one normal class and four attack classes, the ID-IE-CNN algorithm achieves the best performance in accuracy, especially in the U2 R and R2 L classes with fewer samples. That is because, the sample numbers of Normal, Probe and Dos are quite large, which can provide relatively adequate information for learning, so all the algorithms are close to each other in accuracy. For U2 R and R2 L, the sample numbers are quite small and the information provided is limited. However, samples of U2 R and R2 L are enhanced to achieve the class balance of the data set in the ID-IE-CNN algorithm, and it shows obvious advantage of accuracy in these two classes.

5 Conclusion

The structure of intrusion detection data is complex and its scale is growing exponentially. Traditional machine learning algorithms cannot cope with its class imbalance, high-dimensionality, and nonlinearity. To this end, this paper proposes the ID-IE-CNN algorithm, which uses oversampling and image enhancement technology to increase the capacity of small classes and overcome the class imbalance in intrusion detection data. The application of the CNN model further solves the problem of high-dimensionality and nonlinearity. This paper uses the KDD99 data set to evaluate the performance of the ID-IE-CNN algorithm through binary classification experiments and multi-classification experiments. The experimental results show that the algorithm has improved accuracy and precision compared with the other algorithms and achieved a lower false alarm rate, especially in the classification of small classes, which shows obvious advantages and verifies the effectiveness of the ID-IE-CNN algorithm proposed in this paper.

However, in order to adapt to the complex and changeable Internet society, the algorithm proposed in this paper needs further improvement. First, the technology used to achieve the data balance is relatively single, and we will strive to propose better techniques for balancing datasets and improve the negative effects of imbalances. Then, we will study fuzzy logic methods in depth, refer to [41 –44] and others, and apply them to processing noise and outlier data points for further enhance the ability of intrusion detection.

Footnotes

Acknowledgments

This work is supported by the National Natural Science Foundation of China under Grant Nos. 61807028, 61802332, and 61772449, the Youth Foundation of Hebei Educational Committee of China under Grant No. QN2021145, the Natural Science Foundation of Hebei Province of China under Grant No. F2019203120. The authors are grateful to valuable comments and suggestions of the reviewers.

References

Long

H.V.

, Tong

A.T.

, Taniar

, et al., An efficient algorithm and tool for detecting dangerous website vulnerabilities, International Journal of Web and Grid Services 16(1) (2020), 81–104.

Kumar

, Kumar

A.A.

, Sahayakingsly

, et al., Analysis of intrusion detection in cyber attacks using DEEP learning neural networks, Peer-to-Peer Networking and Applications 6245 (2020), 1–20.

Xue

C.D.

, Analysis of network intrusion detection technology,(11), Network Security Technology & Application (2020), 37–38.

Tuan

T.A.

, Long

H.V.

, Son

L.H.

, et al., Performance evaluation of Botnet DDoS attack detection using machine learning, Evolutionary Intelligence 13 (2019), 1–12.

Krishnan

R.S.

, Julie

E.G.

, Robinson

Y.H.

, et al., Modified zone based intrusion detection system for security enhancement in mobile ad-hoc networks, Wireless Networks 26(2) (2020), 1275–1289.

Y.X.

, Li

Q.L.

, Research on intrusion detection system based on principal component analysis and K-means clustering algorithm, Journal of Wuyi University 39(9) (2020), 42–47.

Lin

W.C.

, Ke

S.W.

, Tsai

C.F.

, CANN: An intrusion detection system based on combining cluster centers and nearest neighbors, Knowledge-Based Systems 78 (2015), 13–21.

Jiang

Z.T.

, Zhou

T.S.Z.

, Two-level hybrid intrusion detection method based on feature selection, Computer Engineering and Design 41(3) (2020), 614–620.

Chen

, Lyu

, Network intrusion detection model based on random forest and XGBoost, Journal of Signal Processing 36(7) (2020), 1055–1064.

10.

Elhefnawy

, Abounaser

, Badr

, A hybrid nested Genetic-Fuzzy algorithm framework for intrusion detection and attacks, IEEE Access 99 (2020), 1–1.

11.

Yao

H.P.

, Wang

Q.Y.

, Wang

L.Y.

, et al., An intrusion detection framework based on hybrid Multi-Level data mining, 47(4) (2019), 740–758.

12.

Meryem

, Ouahidi

B.E.

, Hybrid intrusion detection system using machine learning, Network Security 5 (2020), 8–19.

13.

Jha

, Prashar

, Long

H.V.

, et al., Recurrent neural network for detecting malware, Computers & Security 99 (2020), 1–13.

14.

Zhang

Y.Q.

, Dong

, et al., Situation, trends and prospects of deep learning applied to cyberspace security, Journal of Computer Research and Development 55(06) (2018), 1117–1142.

15.

Goodfellow

, Bengio

, Courville

, Deep Learning, Cambridge, Massachusetts: MIT Press (2016), 528–566.

16.

Zhou

, Zhou

Z.P.

, Wang

, Network intrusion detection method based on Auto Encoder and ResNet, Application Research of Computers 37(S2) (2020), 224–226.

17.

Sohi

S.M.

, Seifert

J.P.

, Ganji

, RNNIDS: Enhancing network intrusion detection systems through deep learning, 102 (2021), 102.

18.

Srikanthyadav

, Gayatri

, Padmaja

, A deep learning approach to network intrusion detection using deep autoencoder, Revue d’Intelligence Artificielle 34(4) (2020), 457–463.

19.

Feng

W.Y.

, Guo

X.B.

, He

Y.Y.

, Intrusion detection model based on feedforward neural network, Netinfo Security 9 (2019), 101–105.

20.

Chakravarthi

S.S.

, Jagadeesh

, Non-linear dimensionality reduction-based intrusion detection using deep autoencoder, International Journal of Advanced Computer Science and Applications 10(8) (2019), 168–174.

21.

Riyaz

, Ganapathy

, A deep learning approach for effective intrusion detection in wireless networks using CNN,(24), Soft Computing (2020), 17265–17278.

22.

Kim

J.Y.

, Cho

S.B.

, Exploiting deep convolutional neural networks for a neural-based learning classifier system, Neurocomputing 354 (2019), 61–70.

23.

Zhang

S.C.

, Xie

X.Y.

, Xu

, Intrusion detection method based on a deep convolutional neural network, Journal of Tsinghua University(Science and Technology) 59(1) (2019), 44–52.

24.

Zhang

Y.H.

, Lyu

, Liu

P.F.

, et al., An encrypted traffic classification method based on convolutional attention gated recurrent networks, Journal of Signal Processing 4 (2021), 1–13.

25.

J.H.

, Liu

Y.P.

, Liu

Y.D.

, et al., CGGA: Text classification model based on CNN and parallel gating mechanism, Journal of Chinese Computer Systems 42(03) (2021), 516–521.

26.

X.Y.

, Liu

H.M.

, Fault diagnosis of rolling bearing based on GA-CNN, Electronic Measurement Technology 44(04) (2021), 126–131.

27.

G.M.

, He

J.L.

, Yan

J.J.

, et al., Convolutional neural network for facial expression recognition, Journal of Nanjing University of Posts and Telecommunications (Natural Science Edition) 36(01) (2016), 16–22.

28.

S.H.

, Qiu

H.L.

, Wu

, et al., Visual detection of liquid leakage based on convolutional neural network, Chinese Journal of Liquid Crystals and Displays 36(05) (2021), 741–750.

29.

Zhang

X.Y.

, Zeng

H.S.

, Jia

, Research of intrusion detection system dataset-KDD CUP99, Computer Engineering and Design 31(22) (2010), 4809–4812.

30.

Michał

, Marek

, Intrusion detection approach based on optimised artificial neural network, Neurocomputing (2020), 1–1.

31.

Jiang

, Wang

, et al., Network intrusion detection combined hybrid sampling with deep hierarchical network, IEEE Access 8 (2020), 32464–32476.

32.

Chi

Y.P.

, Yang

Y.T.

, et al., Design and implementation of network intrusion detection model based on GR-CNN algorithm, Computer Applications and Software 36(12) (2019), 297–302.

33.

Yin

C.L.

, Zhu

Y.F.

, Fei

J.L.

, et al., A deep learning approach for intrusion detection using recurrent neural networks, IEEE Access 5 (2017), 21954–21961.

34.

Liu

J.H.

, Sun

X.W.

, Jin

, Intrusion detection model based on principle component analysis and recurrent neural network, Journal of Chinese Information Processing 34(10) (2020), 105–112.

35.

Wang

Z.D.

, Liu

X.D.

, Hu

Z.D.

, et al., Use improved grey wolf algorithm to optimize BP neural network intrusion detection, Journal of Chinese Computer Systems 42(04) (2021), 875–884.

36.

, Zhang

, An intrusion detection algorithm based on deep CNN, Computer Applications and Software 37(04) (2020), 324–328.

37.

Chen

, Wang

R.T.

, et al., Research on intrusion detection model based on DBN-XGBDT, Computer Engineering and Applications 56(22) (2020), 83–91.

38.

Shen

S.Y.

, Cai

M.C.

, et al., Intrusion detection algorithm based on LFKPCA-DWELM, Computer Engineering and Applications (2021), 1–13.

39.

Kunang

Y.N.

, Nurmaini

, Stiawan

, et al., Attack classification of an intrusion detection system using deep learning and hyperparameter optimization, Journal of Information Security and Applications 58 (2021), 1–15.

40.

Shi

D.G.

, Zhang

X.Q.

, Mao

B.L.

, et al., An intrusion detection method based on convolutional neural network, Computer Applications and Software 37(10) (2020), 323–327+333.

41.

Akbulut

, Sengur

, Guo

, Polat

, KNCM: Kernel neutrosophic c-Means clustering, Applied Soft Computing 52 (2017), 714–724.

42.

Bezdek

J.C.

, Ehrlich

, Full

, FCM: The fuzzy c-means clustering algorithm, Computers & Geosciences 10 (1984), 191–203.

43.

Cheng

H.D.

, Guo

, A new neutrosophic approach to image thresholding, New Math Nat Comput 499(3) (2009), 291–308.

44.

Can

N.V.

, Tu

D.N.

, Tong

A.T.

, et al., A new method to classify malicious domain name using neutrosophic sets in DGA botnet detection, Journal of Intelligent & Fuzzy Systems 38(4) (2020), 4223–4236.

Intrusion detection algorithm based on image enhanced convolutional neural network

Abstract

Keywords

1 Introduction

2 Related technologies

2.1 Data preprocessing

2.1.2 Image enhancement

4.1 Experimental data preprocessing

4.1.1 Character data numeralization

4.1.2 Image enhancement

4.2 Parameter set of CNN model

Table 2 Confusion Matrix Actual Predicted Positive Negative Positive TP FN Negative FP TN

4.4.1 The accuracy and loss rate for training

Table 3 Comparison results of the binary classification (%) Algorithm ACC FNR PR Recall F1-score CNN 99.5 0.63 98.5 99.37 98.93 RNN 83.28 27 96.9 73 83.27 GR-CNN 99.1 1.03 98.3 98.97 98.63 PCA-RNN 87.7 13.72 96.49 86.28 91.10 IGWO-BP 95.32 4.6 97.12 95.32 96.21 ID-IE-CNN 99.73 0.29 99.7 99.71 99.70

Footnotes

Acknowledgments

References

Table 2
Confusion Matrix

Actual Predicted

Positive Negative

Positive TP FN

Negative FP TN