Abstract
Considering the characteristics of network traffic on the data link layer, such as massive high-speed data flow, information camouflaged easily, and the phenomenon that abnormal traffic is much smaller than the normal one, an intrusion detection system (IDS) based on the quantitative model of interaction mode between ports is proposed. The model gives the quantitative expression of Port Interaction Mode in Data Link Layer (PIMDL), focusing on improving the accuracy and efficiency of the intrusion detection by taking the arrival time distribution of traffic. The feasibility of the model proposed is proved by the phase space reconstruction and visualization method. According to the characteristics of long and short sessions, a neural network based on CNN and LSTM is designed to mine the differences between normal and abnormal models. On this basis, an improved Intrusion Detection algorithm based on a multi-model scoring mechanism is designed to classify sessions in model space. And the experiments show that the quantitative model and the improved algorithm proposed can not only effectively avoid camouflage identity information, but also improve computational efficiency, as well as increase the accuracy of small sample anomaly detection.
Highlights
To avoid the serious losses caused by network attacks, it is important to build an effective intrusion detection model to explore the existing characteristic rules in mass traffic data
To solve the problems above, this paper proposes Port Interaction Mode in Data Link Layer (PIMDL), which reconstructs the traffic feature set from the initial traffic to quantify the network traffic
In order to keep a gap with training data, the abnormal traffic was measured by 40% of the initial traffic, and the normal traffic was selected by MAWI from 00:00 to 02:00 on April 9
Summary
To avoid the serious losses caused by network attacks, it is important to build an effective intrusion detection model to explore the existing characteristic rules in mass traffic data. Previous studies have trained neural networks based on a large number of high-level protocol information (e.g. logon status, flag). When attackers camouflage these attributes, the classification accuracy of neural networks will be greatly affected. Design a multi-model scoring mechanism to evaluate network traffic, map sessions into three-dimensional model space, use Support Vector Machine (SVM) to classify session traffic in model space, and implement traffic intrusion detection. This algorithm is the core of our work, its theoretical basis is based on the research before section C of Chapter IV. The effectiveness of the improved algorithm is proved by the final design comparison experiment
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
