基于EKM-AE模型的无监督主机入侵检测方法

针对深度学习方法运用于入侵检测时需要大量标注数据集和难以实时检测的缺陷,利用网络流量中正常数据多于异常数据的一般规律,提出一种结合集成K-means聚类和自编码器的EKM-AE(ensemble K-means and autoencoder)入侵检测方法.首先通过集成K-means聚类从实时抓取的网络流量中得出正常样例,用于训练自编码器,然后由完成训练的自编码器执行入侵检测.在虚拟局域网主机环境下进行了入侵检测实验,结果表明,在绝大多数实际应用场景(正常流量多于异常流量)下该方法具有良好的检测性能,且具有全过程无监督、可实时在线检测的优点,对主机网络安全有良好的提升作用.

Unsupervised Host Intrusion Detection Method Based on EKM-AE Model

In view of the defects that deep learning requires a large number of annotated data sets and is difficult to detect in real time when it is applied to intrusion detection,an EKM-AE intrusion detection method combining ensemble K-means clustering and autoencoder was proposed based on the general rule that normal data is more than abnormal data in network traffic.Firstly,normal samples were obtained from the real-time captured network traffic by using ensemble K-means clustering to train the autoencoder,and then intrusion detection was performed by the trained autoencoder.The intrusion detection experiment was taken on the host under virtual LAN environment,and the result shows that the method has a good detection performance in most practical application scenarios(normal traffic is more than abnormal traffic),and the whole detection process is real-time,unsupervised and online.So it is also benefit in improving the network security of the host.