Adoption and realization of deep learning in network traffic anomaly detection device design

Abstract

In order to study the application of deep learning in the design of network traffic anomaly detection device, aiming at two common problems in the field of network anomaly detection: characteristic dependence and high false positive rate, the convolutional neural network (CNN) is combined with recurrent neural network (RNN) to propose the network anomaly detection method based on hierarchical spatiotemporal feature learning (HAST-NAD) based on deep learning. It automatically learns the traffic characteristics and improves the network traffic anomaly detection efficiency. First, the CNN is used to learn the spatial feature algorithm of data, and long-short term memory of RNN is used to learn the temporal feature algorithm of data. Then the two original data sets DARPA1998 and ISCX2012 are preprocessed. The accuracy, detection rate, and false positive rate of normal traffic and Dos, Probe, U2R, and R2L attack traffic are compared in DARPA1998 data set. The accuracy, detection rate, and false positive rate of normal traffic and Brute force SSH, DDoS, HttpDoS, and buffering attack traffic are compared in ISCX2012 data set. Finally, it is compared with other network traffic anomaly detection methods. The results show that when the network flow length is 800, the model shows good performance on the DARPA1998 data set (accuracy, detection rate and false positive rate are 98.68%, 97.78%, and 0.07%, respectively). When the network flow length is 600, the model performs better on the ISCX2012 dataset (accuracy, detection rate and false positive rate are 99.69%, 96.91%, and 0.22%, respectively). At the same time, when the packet length is 100 and the number of packets is 6, the model shows high precision, high detection rate, and low false positive rate on ISCX2012 data set. In the same data set, the temporal feature algorithm has better performance and lower false positive rate than the spatial feature algorithm. Compared with other network traffic anomaly detection methods, HAST-NAD has better comprehensive test results. In conclusion, the combination of CNN and RNN can better realize abnormal detection of network traffic, which has practical application and theoretical value.